Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
Lifecycle Timeline
3DescriptionGitHub Advisory
Knowledge Base Destruction and RAG Poisoning via Unauthorized Collection Overwrite
Affected Component
Retrieval web/YouTube processing endpoints:
backend/open_webui/routers/retrieval.py(lines 1810-1837,process_web)backend/open_webui/routers/retrieval.py(the parallelprocess_youtubeendpoint)backend/open_webui/routers/retrieval.py(line 1445,save_docs_to_vector_dbcall chain)
Affected Versions
Current main branch (commit 6fdd19bf1) and likely all versions with RAG/knowledge base functionality.
Description
The POST /api/v1/retrieval/process/web endpoint accepts a user-supplied collection_name and an overwrite query parameter (default: True). It performs no authorization check on whether the calling user owns or has write access to the target collection. When overwrite=True, save_docs_to_vector_db calls VECTOR_DB_CLIENT.delete_collection() on the target collection before writing new content.
Combined with the knowledge base enumeration vulnerability (separate report), an attacker can trivially discover any user's knowledge base UUID and then destroy or poison it.
# retrieval.py:1810-1837 - no collection authorization check
@router.post('/process/web')
async def process_web(
request: Request,
form_data: ProcessUrlForm,
user=Depends(get_verified_user),
...
):
# ... fetch and process the URL ...
save_docs_to_vector_db(
request=request,
docs=docs,
collection_name=form_data.collection_name,
# attacker-controlled, unchecked
overwrite=overwrite,
# defaults to True
...
)CVSS 3.1 Breakdown
| Metric | Value | Rationale |
|---|---|---|
| Attack Vector | Network (N) | Exploited remotely via API call |
| Attack Complexity | Low (L) | Single API call with a known KB UUID |
| Privileges Required | Low (L) | Requires any authenticated user account |
| User Interaction | None (N) | No victim interaction required |
| Scope | Unchanged (U) | Impact within the knowledge base authorization boundary |
| Confidentiality | None (N) | No data disclosure from this vulnerability directly |
| Integrity | High (H) | Complete replacement of victim's KB content with attacker-controlled data |
| Availability | High (H) | Victim's original KB embeddings are deleted; KB effectively destroyed |
Attack Scenario
- Attacker discovers victim's KB UUID via the
knowledge-basesmeta-collection (separate finding) or other enumeration. - Attacker sends:
POST /api/v1/retrieval/process/web?overwrite=true
{
"url": "https://attacker.com/poison",
"collection_name": "<victim_kb_uuid>"
}- The endpoint fetches content from the attacker's URL.
save_docs_to_vector_dbdeletes the entire vector collection belonging to the victim's knowledge base.- The attacker's fetched content is embedded and written as the new collection content.
- Victim's RAG queries against their KB now return attacker-controlled content instead of their original documents.
Impact
- Data destruction: Victim's original KB embeddings are permanently deleted from the vector store
- RAG poisoning: Attacker-controlled content replaces legitimate knowledge, causing the LLM to return misleading or malicious answers to the victim
- Indirect prompt injection: Poisoned content can contain crafted prompts that manipulate the victim's LLM behavior when queried
- Persistence: The poisoned content persists until the KB is rebuilt from source files
Preconditions
- Attacker must have a valid user account
- Attacker must know the target collection name (KB UUID) - easily obtained via the
knowledge-basesenumeration finding
AnalysisAI
Open WebUI through version 0.8.12 allows authenticated attackers to destroy or poison any user's knowledge base via unauthorized collection overwrite operations. The /api/v1/retrieval/process/web endpoint fails to verify collection ownership before performing delete-and-replace operations on vector database collections. This enables attackers to permanently delete victim knowledge bases and inject malicious content that influences LLM responses through RAG poisoning. No public exploit identified at time of analysis, but proof-of-concept code is documented in the GitHub advisory GHSA-7r82-qhg4-6wvj. Vendor-released patch: version 0.9.0.
Technical ContextAI
Open WebUI is a Python-based web interface for large language models with Retrieval-Augmented Generation (RAG) functionality. The vulnerability exists in the retrieval router module (backend/open_webui/routers/retrieval.py) where web and YouTube content processing endpoints accept user-supplied collection names without authorization checks. The affected function save_docs_to_vector_db calls VECTOR_DB_CLIENT.delete_collection() when the overwrite parameter is True (the default), enabling complete destruction of vector embeddings in any accessible collection. This is a classic broken access control vulnerability (CWE-862) where vertical privilege escalation allows low-privileged users to perform administrative operations on resources they do not own. The vulnerability affects the pip package open-webui as identified by CPE pkg:pip/open-webui, with all versions through 0.8.12 confirmed vulnerable and version 0.9.0 containing the fix.
RemediationAI
Upgrade Open WebUI to version 0.9.0 immediately via pip (pip install --upgrade open-webui==0.9.0). The patched version adds authorization checks to verify collection ownership before performing delete or overwrite operations. Review the vendor advisory at https://github.com/open-webui/open-webui/security/advisories/GHSA-7r82-qhg4-6wvj for additional context. If immediate upgrade is not feasible, implement the following compensating controls with trade-offs: (1) Disable the /api/v1/retrieval/process/web and /api/v1/retrieval/process/youtube endpoints entirely via reverse proxy rules - this breaks web and YouTube content ingestion features but prevents unauthorized collection manipulation; (2) Implement network-level access controls restricting API access to trusted IP ranges only - reduces but does not eliminate risk from compromised insider accounts; (3) Enable detailed API audit logging on the retrieval endpoints to detect unauthorized collection access attempts - provides detection but not prevention; (4) In multi-tenant deployments, consider segmenting users into isolated Open WebUI instances with separate vector databases - significantly increases operational complexity. None of these workarounds provide complete protection against authenticated attackers; version 0.9.0 is the only comprehensive fix.
Wazuh SIEM platform versions 4.4.0 through 4.9.0 contain an unsafe deserialization vulnerability in the DistributedAPI t
BentoML version 1.4.2 and earlier contains an unauthenticated remote code execution vulnerability through insecure deser
pgAdmin 4 contains critical remote code execution vulnerabilities in the Query Tool download and Cloud Deployment endpoi
The renderLocalView function in render/views.py in graphite-web in Graphite 0.9.5 through 0.9.10 uses the pickle Python
BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Rated critica
OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCiph
pyLoad download manager version prior to 0.5.0b3.dev77 exposes the Flask SECRET_KEY through an unauthenticated endpoint.
In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and conse
Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/
pyLoad is the free and open-source Download Manager written in pure Python. Rated medium severity (CVSS 5.3), this vulne
Langflow (a visual LLM pipeline builder) contains a critical unauthenticated code execution vulnerability (CVE-2026-3301
Cross-user flow execution in Langflow (< 1.9.1) lets any authenticated API-key holder run another user's flow by passing
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30622
GHSA-7r82-qhg4-6wvj