Skip to main content

Open WebUI CVE-2026-44554

| EUVDEUVD-2026-30622 HIGH
Missing Authorization (CWE-862)
2026-05-08 https://github.com/open-webui/open-webui GHSA-7r82-qhg4-6wvj
8.1
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.1 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
High

Lifecycle Timeline

3
Source Code Evidence Fetched
May 08, 2026 - 20:33 vuln.today
Analysis Generated
May 08, 2026 - 20:33 vuln.today
CVE Published
May 08, 2026 - 19:51 nvd
HIGH 8.1

DescriptionGitHub Advisory

Knowledge Base Destruction and RAG Poisoning via Unauthorized Collection Overwrite

Affected Component

Retrieval web/YouTube processing endpoints:

  • backend/open_webui/routers/retrieval.py (lines 1810-1837, process_web)
  • backend/open_webui/routers/retrieval.py (the parallel process_youtube endpoint)
  • backend/open_webui/routers/retrieval.py (line 1445, save_docs_to_vector_db call chain)

Affected Versions

Current main branch (commit 6fdd19bf1) and likely all versions with RAG/knowledge base functionality.

Description

The POST /api/v1/retrieval/process/web endpoint accepts a user-supplied collection_name and an overwrite query parameter (default: True). It performs no authorization check on whether the calling user owns or has write access to the target collection. When overwrite=True, save_docs_to_vector_db calls VECTOR_DB_CLIENT.delete_collection() on the target collection before writing new content.

Combined with the knowledge base enumeration vulnerability (separate report), an attacker can trivially discover any user's knowledge base UUID and then destroy or poison it.

python
# retrieval.py:1810-1837 - no collection authorization check
@router.post('/process/web')
async def process_web(
    request: Request,
    form_data: ProcessUrlForm,
    user=Depends(get_verified_user),
    ...
):
# ... fetch and process the URL ...
    save_docs_to_vector_db(
        request=request,
        docs=docs,
        collection_name=form_data.collection_name,
# attacker-controlled, unchecked
        overwrite=overwrite,
# defaults to True
        ...
    )

CVSS 3.1 Breakdown

MetricValueRationale
Attack VectorNetwork (N)Exploited remotely via API call
Attack ComplexityLow (L)Single API call with a known KB UUID
Privileges RequiredLow (L)Requires any authenticated user account
User InteractionNone (N)No victim interaction required
ScopeUnchanged (U)Impact within the knowledge base authorization boundary
ConfidentialityNone (N)No data disclosure from this vulnerability directly
IntegrityHigh (H)Complete replacement of victim's KB content with attacker-controlled data
AvailabilityHigh (H)Victim's original KB embeddings are deleted; KB effectively destroyed

Attack Scenario

  1. Attacker discovers victim's KB UUID via the knowledge-bases meta-collection (separate finding) or other enumeration.
  2. Attacker sends:
   POST /api/v1/retrieval/process/web?overwrite=true
   {
     "url": "https://attacker.com/poison",
     "collection_name": "<victim_kb_uuid>"
   }
  1. The endpoint fetches content from the attacker's URL.
  2. save_docs_to_vector_db deletes the entire vector collection belonging to the victim's knowledge base.
  3. The attacker's fetched content is embedded and written as the new collection content.
  4. Victim's RAG queries against their KB now return attacker-controlled content instead of their original documents.

Impact

  • Data destruction: Victim's original KB embeddings are permanently deleted from the vector store
  • RAG poisoning: Attacker-controlled content replaces legitimate knowledge, causing the LLM to return misleading or malicious answers to the victim
  • Indirect prompt injection: Poisoned content can contain crafted prompts that manipulate the victim's LLM behavior when queried
  • Persistence: The poisoned content persists until the KB is rebuilt from source files

Preconditions

  • Attacker must have a valid user account
  • Attacker must know the target collection name (KB UUID) - easily obtained via the knowledge-bases enumeration finding

AnalysisAI

Open WebUI through version 0.8.12 allows authenticated attackers to destroy or poison any user's knowledge base via unauthorized collection overwrite operations. The /api/v1/retrieval/process/web endpoint fails to verify collection ownership before performing delete-and-replace operations on vector database collections. This enables attackers to permanently delete victim knowledge bases and inject malicious content that influences LLM responses through RAG poisoning. No public exploit identified at time of analysis, but proof-of-concept code is documented in the GitHub advisory GHSA-7r82-qhg4-6wvj. Vendor-released patch: version 0.9.0.

Technical ContextAI

Open WebUI is a Python-based web interface for large language models with Retrieval-Augmented Generation (RAG) functionality. The vulnerability exists in the retrieval router module (backend/open_webui/routers/retrieval.py) where web and YouTube content processing endpoints accept user-supplied collection names without authorization checks. The affected function save_docs_to_vector_db calls VECTOR_DB_CLIENT.delete_collection() when the overwrite parameter is True (the default), enabling complete destruction of vector embeddings in any accessible collection. This is a classic broken access control vulnerability (CWE-862) where vertical privilege escalation allows low-privileged users to perform administrative operations on resources they do not own. The vulnerability affects the pip package open-webui as identified by CPE pkg:pip/open-webui, with all versions through 0.8.12 confirmed vulnerable and version 0.9.0 containing the fix.

RemediationAI

Upgrade Open WebUI to version 0.9.0 immediately via pip (pip install --upgrade open-webui==0.9.0). The patched version adds authorization checks to verify collection ownership before performing delete or overwrite operations. Review the vendor advisory at https://github.com/open-webui/open-webui/security/advisories/GHSA-7r82-qhg4-6wvj for additional context. If immediate upgrade is not feasible, implement the following compensating controls with trade-offs: (1) Disable the /api/v1/retrieval/process/web and /api/v1/retrieval/process/youtube endpoints entirely via reverse proxy rules - this breaks web and YouTube content ingestion features but prevents unauthorized collection manipulation; (2) Implement network-level access controls restricting API access to trusted IP ranges only - reduces but does not eliminate risk from compromised insider accounts; (3) Enable detailed API audit logging on the retrieval endpoints to detect unauthorized collection access attempts - provides detection but not prevention; (4) In multi-tenant deployments, consider segmenting users into isolated Open WebUI instances with separate vector databases - significantly increases operational complexity. None of these workarounds provide complete protection against authenticated attackers; version 0.9.0 is the only comprehensive fix.

More in Python

View all
CVE-2025-24016 CRITICAL POC
9.9 Feb 10

Wazuh SIEM platform versions 4.4.0 through 4.9.0 contain an unsafe deserialization vulnerability in the DistributedAPI t

CVE-2025-27520 CRITICAL POC
9.8 Apr 04

BentoML version 1.4.2 and earlier contains an unauthenticated remote code execution vulnerability through insecure deser

CVE-2025-2945 CRITICAL POC
9.9 Apr 03

pgAdmin 4 contains critical remote code execution vulnerabilities in the Query Tool download and Cloud Deployment endpoi

CVE-2013-5093 MEDIUM POC
6.8 Sep 27

The renderLocalView function in render/views.py in graphite-web in Graphite 0.9.5 through 0.9.10 uses the pickle Python

CVE-2025-32375 CRITICAL POC
9.8 Apr 09

BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Rated critica

CVE-2014-0224 HIGH POC
7.4 Jun 05

OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCiph

CVE-2024-21644 HIGH POC
7.5 Jan 08

pyLoad download manager version prior to 0.5.0b3.dev77 exposes the Flask SECRET_KEY through an unauthenticated endpoint.

CVE-2017-9462 HIGH POC
8.8 Jun 06

In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and conse

CVE-2026-39987 CRITICAL POC
9.3 Apr 08

Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/

CVE-2024-21645 MEDIUM POC
5.3 Jan 08

pyLoad is the free and open-source Download Manager written in pure Python. Rated medium severity (CVSS 5.3), this vulne

CVE-2026-33017 CRITICAL POC
9.3 Mar 17

Langflow (a visual LLM pipeline builder) contains a critical unauthenticated code execution vulnerability (CVE-2026-3301

CVE-2026-55255 HIGH POC
8.4 Jun 19

Cross-user flow execution in Langflow (< 1.9.1) lets any authenticated API-key holder run another user's flow by passing

Share

CVE-2026-44554 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy