Remote Code Execution due to Arbitrary File Write in open-webui/open-webui
Description
In open-webui version 0.3.8, the endpoint /models/upload is vulnerable to arbitrary file write due to improper handling of user-supplied filenames. The vulnerability arises from the usage of file_path = f"{UPLOAD_DIR}/{file.filename}" without proper input validation or sanitization. An attacker can exploit this by manipulating the file.filename parameter to include directory traversal sequences, causing the resulting file_path to escape the intended UPLOAD_DIR and potentially overwrite arbitrary files on the system. This can lead to unauthorized modifications of system binaries, configuration files, or sensitive data, potentially enabling remote command execution.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Open WebUI 0.3.8 suffers from an arbitrary file write vulnerability in /models/upload due to unsanitized filenames, enabling directory traversal and potential remote code execution.
Root
Cause
The /models/upload endpoint in Open WebUI version 0.3.8 constructs file paths using user-supplied filenames without validation or sanitization. Specifically, the code file_path = f"{UPLOAD_DIR}/{file.filename}" allows an attacker to include directory traversal sequences (e.g., ../) in the file.filename parameter, causing the resulting path to escape the intended upload directory [2].
Exploitation
An attacker can exploit this by sending a crafted multipart request to /models/upload with a filename containing traversal sequences. No authentication is required if the endpoint is exposed, making the attack surface broad. The vulnerability is publicly documented in a bug bounty report [3] and the project's repository [1] confirms the affected codebase.
Impact
Successful exploitation allows arbitrary file write on the server. An attacker could overwrite system binaries, configuration files, or sensitive data, potentially leading to remote command execution or complete compromise of the Open WebUI instance [2].
Mitigation
As of the publication date, users should monitor the Open WebUI project for a patched release. In the interim, restricting network access to the /models/upload endpoint and implementing input validation on filenames can reduce risk.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
open-webuiPyPI | <= 0.3.8 | — |
Affected products
3- Range: = 0.3.8
- open-webui/open-webui/open-webuiv5Range: unspecified
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3News mentions
0No linked articles in our index yet.