CVE-2026-54009

MEDIUM

Open WebUI: Cross-user file disclosure via /api/chat/completions image_url field

Title source: cna
STIX 2.1

Description

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.6, POST /api/chat/completions accepts an image_url.url value that, when it does NOT start with http://, https://, or data:image/, is interpreted as a file id and resolved against the global file table with no ownership check. an authenticated user can therefore set image_url.url to another user's file id, the server reads that file from disk, base64-encodes it, and injects the data URI into the LLM request. the user then prompts the LLM to describe / OCR the file and reads the content back. This vulnerability is fixed in 0.9.6.

References (1)

Core 1
Core References

Scores

CVSS v3 6.5
EPSS 0.0022
EPSS Percentile 13.2%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact partial

Details

CWE
CWE-639
Status published
Products (2)
open-webui/open-webui < 0.9.6
openwebui/open_webui < 0.9.6
Published Jun 23, 2026
Tracked Since Jun 23, 2026