CVE-2026-44566: Open WebUI Vulnerable to Arbitrary File Upload and Path Traversal

May 8, 2026 (updated May 19, 2026)

Attacker controlled files can be uploaded to arbitrary locations on the web server’s filesystem by abusing a path traversal vulnerability.

References

github.com/advisories/GHSA-9pgh-j74g-qj6m
github.com/open-webui/open-webui/security/advisories/GHSA-9pgh-j74g-qj6m
nvd.nist.gov/vuln/detail/CVE-2026-44566

Code Behaviors & Features

Detect and mitigate CVE-2026-44566 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →