CVE-2026-54009
MediumCVSS 6.5Exploitation Probability (EPSS)
Low risk12th percentile — higher than 12% of all known CVEs
Summary
In Open WebUI prior to version 0.9.6, a vulnerability allows an authenticated user to access other users' files by manipulating the image_url.url parameter in the POST /api/chat/completions request. If this value does not start with http://, https://, or data:image/, it is interpreted as a file id, allowing access to the file content without permission checks.
Risk Assessment
This vulnerability poses a risk of unauthorized access to user data, potentially leading to the leakage of sensitive information. Organizations should be aware of the potential security implications.
Recommendation
It is recommended to update Open WebUI to version 0.9.6 or later to mitigate this vulnerability. Additionally, conducting an audit of file access permissions in the system is advisable.
Original NVD description (English source)
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.6, POST /api/chat/completions accepts an image_url.url value that, when it does NOT start with http://, https://, or data:image/, is interpreted as a file id and resolved against the global file table with no ownership check. an authenticated user can therefore set image_url.url to another user's file id, the server reads that file from disk, base64-encodes it, and injects the data URI into the LLM request. the user then prompts the LLM to describe / OCR the file and reads the content back. This vulnerability is fixed in 0.9.6.

