What happened
The POST /api/chat/completions endpoint in Open WebUI applies special handling to image_url.url values based on URL prefix. Values that don't match expected URL schemes are treated as file IDs and resolved against the global file store without checking whether the requesting user owns the referenced file. This allows any authenticated user to read arbitrary files uploaded by other users.
Why it matters
In enterprise Open WebUI deployments, users upload sensitive documents, code, and data as context for LLM conversations. This IDOR allows any user to silently exfiltrate another user's private files — including documents fed into RAG or analysis workflows.
Attack vector
Attacker sends a POST /api/chat/completions request with an image_url.url value that does not begin with http://, https://, or data:image/; the server interprets it as a file ID and resolves it against the global file store, returning any file belonging to any user
Affected systems
Open WebUI < 0.9.6
Mitigation
Upgrade to Open WebUI 0.9.6. Advisory: https://github.com/open-webui/open-webui/security/advisories/GHSA-wch8-mhj5-9frg