External risk intelligence

Open WebUI could allow an internal attacker to write unauthorized files to the system

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2026-44566

An internal attacker can manipulate file uploads in Open WebUI to save malicious files to restricted system locations. This could allow them to override critical settings or run unauthorized code, leading to a complete compromise of the platform.

1Halo Surface Signal

Path Traversal

Openwebui Open Webui

before 0.1.124

External exposure likelihood

Halo Surface Signal score for CVE-2026-44566

The product is a self-hosted platform explicitly designed to operate entirely offline. It is typically deployed within isolated or internal environments, meaning public internet exposure is contrary to its intended architecture and normal use case.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Horizon Alert

Summary of the vulnerability and why it matters

This vulnerability in Open WebUI allows an unauthenticated user to upload files to any location on the server's filesystem. This is a significant risk because it can lead to the compromise of the entire server.

  • Allows unrestricted file uploads.
  • Affects servers reachable from the internet.
  • Enables full system takeover.

Attack Path

How an attacker could exploit the issue

An unauthenticated attacker can leverage this vulnerability to upload arbitrary files to the server by crafting a malicious filename that escapes the intended upload directory. This allows them to overwrite critical system files or inject malicious content anywhere the web server process has write permissions, potentially leading to complete system compromise.

  • Upload file to server.
  • Bypass directory restrictions.
  • Execute arbitrary code.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability, allowing arbitrary file writes to any location on the filesystem accessible by the web server user, presents a serious risk. The lack of authentication and validation on file uploads makes it a prime target for attackers seeking to gain a foothold in a system. While the product is designed for offline use, misconfigurations or intentional exposure could lead to exploitation.

  • No public exploit observed.
  • No KEV listing.
  • Recency signal weak.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Focus on updating Open WebUI to version 0.1.124 or later to address the critical path traversal vulnerability. If immediate patching is not feasible, implement strict network segmentation to isolate affected instances and monitor for any unusual file system activity or unauthorized access attempts.

  • Upgrade to version 0.1.124+.
  • Restrict network access to affected instances.
  • Monitor for unauthorized file modifications.

Frequently asked questions

What is Open WebUI and its primary function?

Open WebUI is a self-hosted AI platform designed for offline operation, enabling users to interact with AI models and features within a secure, private environment.

What specific weakness does CVE-2026-44566 detail in Open WebUI?

CVE-2026-44566 describes a path traversal vulnerability (CWE-22) where Open WebUI fails to validate or sanitize uploaded filenames. This allows attackers to bypass directory restrictions and upload files to unintended locations on the server.

How can an attacker exploit the path traversal flaw in Open WebUI?

An unauthenticated attacker can exploit this by uploading files with specially crafted names. These names can contain sequences like '..', allowing them to write files outside the designated upload directory, potentially overwriting critical system files or injecting malicious code.

What is the relevance of CVE-2026-44566 given Open WebUI's offline design?

Although designed for offline use, if Open WebUI instances are exposed to the internet or improperly configured, this vulnerability can be exploited. It allows attackers to achieve remote code execution or full system compromise by writing arbitrary files to the server.

What is the recommended action to mitigate the Open WebUI vulnerability?

The primary remediation is to update Open WebUI to version 0.1.124 or later. If immediate upgrading is not possible, restrict network access to the affected instances and implement vigilant monitoring for any suspicious file system modifications.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished Modified