All articles
Threat IntelligenceMay 2026·3 min read

Open WebUI Flaw Allows Arbitrary File Deletion

A path traversal vulnerability in the popular LLM interface allows authenticated users to delete arbitrary files, posing a significant risk to agentic systems and AI workflows.

By Helixar Research Team··3 min read

Open WebUI Flaw Allows Arbitrary File Deletion
Illustration generated by Helixar Research Labs. Not a depiction of a real system, attack, or affected product.

At a Glance

CVE-2026-44565

Identifier

High

Severity

Authenticated Network

Attack Vector

Open WebUI

Affected Product

A vulnerability in Open WebUI allows authenticated users to delete arbitrary files on the host server. The flaw, identified as CVE-2026-44565, stems from a path traversal weakness in a file upload API route. Security researcher Taylor Pennington of KoreLogic discovered and reported the issue. The vulnerability affects versions up to and including 0.1.105 of the popular web interface for local language models.

The Attack Explained

The attack exploits the file upload functionality within the Open WebUI interface. When a user uploads a file, such as a model or an audio file for transcription, the backend receives the file and its name. The application's code fails to properly sanitize the filename provided by the user. This oversight is the entry point for the attack.

An attacker can craft a filename containing path traversal sequences like "../". These sequences instruct the filesystem to navigate up the directory tree. By creating a malicious filename, an attacker can break out of the designated upload directory. They can then target any location on the filesystem where the web server process has write permissions.

The vulnerable API endpoint first writes the uploaded file to the attacker-specified path. Immediately after the file is processed, the code executes an os.remove() command on the same path [1]. This write-then-delete sequence effectively becomes an arbitrary file deletion primitive. Attackers can use it to destroy critical system files, application data, or user information, leading to a denial of service.

OPERATOR ACTION

Update Open WebUI to a patched version immediately to mitigate this vulnerability.

Risks to Agentic Systems

This vulnerability poses a special threat to teams deploying agentic AI systems. Open WebUI is a common component for interacting with local LLMs like Ollama. These systems often form the core of autonomous agents designed to perform complex tasks. The stability of the underlying infrastructure is critical for their reliable operation.

An attacker with access to the UI could use this flaw to directly sabotage an agent's environment. They could delete the agent's memory files, corrupt its knowledge base, or remove essential configuration files. For example, deleting a model file could render the entire LLM service nonfunctional, halting all agent activity. The impact extends beyond simple data loss to operational failure of the AI system.

The attack requires authentication, but this does not eliminate the risk. In multi-tenant deployments, a malicious or compromised user could affect all other users. An agent itself, if compromised through other means like prompt injection, could be manipulated into triggering this vulnerability against its own host system. This creates a dangerous self-sabotage scenario.

Technical Cause and Mitigation

The root cause lies within the "/ollama/models/upload" API route in the application's Python backend. The code constructs the destination file_path by directly concatenating a base upload directory with the user-supplied file.filename. No validation or sanitization is performed on the filename string, allowing path traversal characters to be processed by the filesystem.

The official fix is straightforward and effective. Developers should modify the code to process the filename using a function like os.path.basename(). This function strips any directory and path information from a filename string. It ensures only the actual name of the file is used, effectively locking the write operation within the intended directory and mitigating the traversal threat [2].

References

  1. GitHub Security Advisory (GHSA-j3fw-wc48-29g3). https://github.com/advisories/GHSA-j3fw-wc48-29g3 (accessed 2026-05-11).
  2. Vendor security advisory (github.com). https://github.com/open-webui/open-webui/security/advisories/GHSA-j3fw-wc48-29g3 (accessed 2026-05-11).

Editorial

Published by the Helixar Research Team. The team drafts each article with the Helixar Research pipeline, an automated threat-intelligence drafting system, and verifies every reference against the cited primary source prior to publication. For corrections, contact [email protected]. Our methodology, source allowlist, and editorial standards are published at helixar.ai/about/research.

About Helixar Research Labs

Helixar is an AI-native software R&D lab focused on agentic governance, compliance, and security for enterprises and enterprise agents.

Helixar Research Labs publishes briefings on the agentic and AI threat surface, including autonomous agents, LLM tooling, MCP servers, model supply chains, and prompt injection. The goal is to surface the gap between traditional defenses and agentic attacks before it shows up in your incidents.

If you run agents in production, this is for you. Learn more at helixar.ai.

Back to Press

Deploying AI agents at scale? Put real detection and governance behind them.

Helixar is the agentic threat detection and governance layer for enterprises running AI agents in production. Design partner spots are open.

Book a call