Open WebUI — Path Traversal Arbitrary File Write/Delete (CVE-2026-44565, CVE-2026-44566)

AI relevance: Open WebUI is the most popular local LLM interface for self-hosted Ollama deployments, and these two path traversal flaws let any authenticated user write or delete arbitrary files — meaning a compromised or malicious account can sabotage the agent's model files, knowledge base, or configuration in one request.

• CVE-2026-44565 — Arbitrary file deletion via path traversal in the /ollama/models/upload API. The backend concatenates the user-supplied filename directly with the upload directory, then writes and immediately deletes via os.remove(), effectively creating a delete-anywhere primitive. Discovered by Taylor Pennington of KoreLogic.
• CVE-2026-44566 — Arbitrary file upload via the same path traversal vector in the store_doc process. Attacker-crafted filenames with ../ sequences escape the intended upload directory and write to arbitrary filesystem locations.
• Both flaws affect Open WebUI versions up to and including 0.1.105. The fix applies os.path.basename() to strip directory components from filenames before use.
• For agentic AI deployments, the impact extends beyond data loss: deleting a model file halts all agent activity, corrupting the knowledge base poisons RAG pipelines, and removing configuration files can disable safety guardrails.
• The attack requires authentication but not admin privileges — any valid user account (or a compromised low-privilege account) is sufficient. In multi-tenant setups, one rogue user affects all co-tenants.
• A prompt-injection-compromised agent could theoretically be manipulated into triggering these vulnerabilities against its own host, creating a self-sabotage loop.

Why it matters

Open WebUI sits at the boundary between human users and local LLM infrastructure. When that boundary can be crossed to touch arbitrary filesystem paths, the entire agent stack — models, memory, configs, tool integrations — becomes vulnerable to a single authenticated request.

What to do

• Update Open WebUI to the latest patched version immediately.
• Run Open WebUI in a container with a read-only filesystem where possible; isolate the upload directory.
• Audit user accounts and remove stale credentials — the attack only needs any valid login, not admin access.

Sources

• Helixar.ai — Open WebUI Flaw Allows Arbitrary File Deletion
• GitLab Advisory — CVE-2026-44565
• GitLab Advisory — CVE-2026-44566
• Snyk — Arbitrary File Upload in open-webui