CVE-2026-44566

HIGH SEVERITY

CVSS Score & Metrics

Base Score

7.3 / 10

Vector String

                                        CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L                                    

Vulnerability Description

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.1.124, when attaching files to a promp, the name of the file is derived from the original HTTP upload request and is not validated or sanitized. This allows for users to upload files with names containing dot-segments in the file path and traverse out of the intended uploads directory. Effectively, users can upload files anywhere on the filesystem the user running the web server has permission. This vulnerability is fixed in 0.1.124.

Vulnerability Details

Published Date

May 08, 2026

Last Modified

May 19, 2026

CWE ID

CWE-22

Source

GitHub

Vendor

pip

Product

open-webui

External References

https://github.com/open-webui/open-webui/security/advisories/GHSA-9pgh-j74g-qj6m
https://github.com/advisories/GHSA-9pgh-j74g-qj6m

CVE-2026-44566

CVSS Score & Metrics

Vulnerability Description

Vulnerability Details

External References

Discussion (0)

Add Comment