What happened
Authenticated user uploads a file with a path traversal filename; backend writes then deletes the file at the traversed path, enabling arbitrary deletion of host filesystem objects
2026-05-11
CriticalPrimaryCVE-2026-44565: Open WebUI path traversal in file upload allows arbitrary file deletion on agentic host systems
CVE-2026-44565 in Open WebUI allows authenticated users to delete any file on the host server via path traversal in the file upload API. Affects agent deployments.
Open WebUIProduction deletionPath traversal arbitrary file deletionOpen WebUI host server / Ollama model files / agent memory and config
Why it matters
Any file accessible to the web server process can be deleted: agent memory files, LLM model weights, configuration, or OS-level files — resulting in denial of service or full agent operational failure
Missing authorization check
Filename sanitization (os.path.basename) before filesystem operations; file operation scope restriction to designated upload directory
Would PP block it?
If an agent is manipulated via prompt injection to trigger this CVE against its own host, a PP tool-call gate on file operations would not block the upload-API path — the traversal happens at the HTTP layer, below agent tool execution. However, PP's infrastructure integrity checks and agent scope restrictions reduce the blast radius by limiting which file paths an agent can legitimately reach. Full mitigation requires the patch (os.path.basename on all filenames).
Incident analysis
Timeline and technical read
Timeline
2026-05-11
Taylor Pennington (KoreLogic) discovered path traversal in Open WebUI file upload API route /ollama/models/upload.
2026-05-11
GitHub Security Advisory GHSA-j3fw-wc48-29g3 published. CVE-2026-44565 assigned.
2026-05-11
Helixar Research published technical analysis. CVSS rated Critical.
2026-05-11
Open WebUI maintainers notified. Fix: apply os.path.basename() to all uploaded filenames.
2026-05-13
Signal scan detected. Affects any Open WebUI deployment ≤0.1.105 used as an agentic interface.
Technical breakdown
- The /ollama/models/upload route constructs a destination path by concatenating the upload directory with the raw user-supplied filename — no validation is performed.
- An attacker crafts a filename like '../../etc/cron.d/malicious' or '../agent-memory/context.json'; the backend writes the file to the traversed path, then immediately calls os.remove() on the same path.
- The write-then-delete sequence converts the upload endpoint into an arbitrary file deletion primitive accessible to any authenticated user.
- In agentic deployments, prompt injection can manipulate the agent into triggering this vulnerability against its own host — a self-sabotage attack vector.
- Fix is straightforward: os.path.basename(file.filename) strips path components and locks operations within the intended upload directory.
Authorization boundary
Where the authorization boundary should have been
This incident is categorized as Production deletion. The relevant Permission Protocol gate is Runtime Gate. The read is conditional: the block only applies where the real action boundary is routed through a gate.
- If enforced at
- File upload API / HTTP layer (below agent tool execution)
- Still needs
- Web API layer file operations; PP does not govern HTTP file upload endpoints directly
- Receipt required for
- Agent-initiated file deletion; any file operation outside designated upload directory
PP can gate agent-initiated file operations but does not intercept the underlying web API upload surface that carries the traversal payload
Start small
Put the relevant gate at this action boundary.
This incident maps to Runtime Gate. Start with the boundary that controls the actual action, then require a signed receipt before execution.