Skip to main content

Open WebUI CVE-2026-44557

| EUVDEUVD-2026-30620 MEDIUM
Information Exposure (CWE-200)
2026-05-08 https://github.com/open-webui/open-webui GHSA-6c2x-gcp3-gp73
4.3
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

3
Source Code Evidence Fetched
May 08, 2026 - 20:35 vuln.today
Analysis Generated
May 08, 2026 - 20:35 vuln.today
CVE Published
May 08, 2026 - 19:51 nvd
MEDIUM 4.3

DescriptionGitHub Advisory

Global Knowledge Base Enumeration via knowledge-bases Meta-Collection

Affected Component

Retrieval collection access validation:

  • backend/open_webui/routers/retrieval.py (lines 2330-2355, _validate_collection_access)
  • backend/open_webui/routers/retrieval.py (query endpoints, e.g. POST /query/doc)

Affected Versions

Current main branch (commit 6fdd19bf1) and likely all versions with the knowledge base subsystem.

Description

The _validate_collection_access function uses an incomplete allowlist that only enforces ownership checks for collections matching user-memory-* and file-* patterns. All other collection names pass through unchecked - including the system-level knowledge-bases meta-collection, which stores the IDs, names, and descriptions of every knowledge base on the instance.

Any authenticated user can query this meta-collection directly via the retrieval query endpoints to obtain a global index of all knowledge bases across all users.

python
# retrieval.py:2330-2355 - incomplete collection allowlist
def _validate_collection_access(user, collection_name, ...):
    if collection_name.startswith('user-memory-'):
# Check user-memory ownership
        ...
    elif collection_name.startswith('file-'):
# Check file access
        ...
# Everything else (including "knowledge-bases") passes through unchecked

This finding is the enabler for the KB destruction (process/web), KB content injection (process/file), and RAG vector search access bypass findings - all of which require knowing a target KB's UUID. Without this enumeration, UUIDs are random and practically unguessable; with it, UUIDs across the entire instance are trivially obtained.

CVSS 3.1 Breakdown

MetricValueRationale
Attack VectorNetwork (N)Exploited remotely via API call
Attack ComplexityLow (L)Single API call
Privileges RequiredLow (L)Requires any authenticated user account
User InteractionNone (N)No victim interaction required
ScopeUnchanged (U)Impact within the knowledge base boundary
ConfidentialityLow (L)Discloses KB metadata (IDs, names, descriptions) across all users
IntegrityNone (N)No direct data modification
AvailabilityNone (N)No denial of service

Attack Scenario

  1. Attacker (any authenticated user) sends:
   POST /api/v1/retrieval/query/doc
   {
     "collection_name": "knowledge-bases",
     "query": "confidential"
   }
  1. _validate_collection_access does not recognize the knowledge-bases prefix and lets the request pass.
  2. The vector search returns the most relevant documents from the meta-collection - knowledge base records including their UUIDs, names, and descriptions - across all users on the instance.
  3. Attacker varies the query to enumerate more KBs: "project", "internal", "private", etc.
  4. Attacker now has a full target list for subsequent attacks (destruction, poisoning, content extraction).

Impact

  • Information disclosure: KB names and descriptions may reveal sensitive project names, internal initiatives, or user activities
  • Enabler for other attacks: Unlocks the following findings by supplying the required target UUIDs:
  • KB destruction/poisoning via process/web
  • Cross-user content injection via process/file
  • RAG vector search access bypass in retrieval/utils.py
  • Transforms these from theoretical (requires UUID guessing) to trivially exploitable (UUIDs enumerable)

Preconditions

  • Attacker must have a valid user account

AnalysisAI

Open WebUI versions up to 0.8.12 allow authenticated users to enumerate all knowledge bases across the instance via an incomplete access control allowlist in the retrieval collection validation function. The _validate_collection_access function only enforces ownership checks for collections matching user-memory-* and file-* patterns, allowing any authenticated user to directly query the system-level knowledge-bases meta-collection and retrieve the IDs, names, and descriptions of every knowledge base regardless of ownership. This information disclosure vulnerability serves as an enabler for subsequent attacks including knowledge base destruction and content injection, transforming these attacks from theoretically exploitable (requiring random UUID guessing) to trivially exploitable (UUIDs enumerable). CVSS score 4.3 (network-accessible, low privilege required, low confidentiality impact). Patched in version 0.9.0.

Technical ContextAI

Open WebUI is a web-based interface for large language models that includes a retrieval-augmented generation (RAG) system with knowledge base functionality. The vulnerability exists in the _validate_collection_access function located in backend/open_webui/routers/retrieval.py (lines 2330-2355), which is responsible for validating user access to collections before permitting queries. The function implements an incomplete allowlist that uses string pattern matching (startswith()) to enforce ownership checks only for collections named user-memory-* and file-*. Collections not matching these patterns, including the system-level knowledge-bases meta-collection, bypass all access validation and are queryable by any authenticated user. The knowledge-bases collection is a special system collection that stores metadata records for all knowledge bases on the instance, including their UUIDs, names, and descriptions. Attackers exploit this via the POST /api/v1/retrieval/query/doc endpoint or other retrieval query endpoints. The root cause is a CWE-200 information exposure vulnerability stemming from incomplete access control logic (CWE-200 covers information exposure to an unauthorized actor, often due to missing or inadequate access restrictions).

RemediationAI

Upgrade Open WebUI to version 0.9.0 or later, which fixes the incomplete access control allowlist in the _validate_collection_access function. If immediate upgrade is not possible, implement network-level access controls to restrict access to the /api/v1/retrieval/query/doc and related retrieval endpoints to trusted users or networks only. Alternatively, disable or isolate the knowledge base feature entirely if not actively in use, though this may impact RAG functionality. Additionally, audit logs for queries to the knowledge-bases collection name to identify any unauthorized enumeration attempts. Review all knowledge bases on affected instances to identify those containing sensitive metadata that may have been exposed. The upstream fix (committed to main branch and released in 0.9.0) replaces the incomplete allowlist with a default-deny access control model that requires explicit authorization for collection access, not pattern-matching exceptions. No vendor-released patch or workaround documentation other than upgrade has been referenced, so version upgrade is the definitive remediation path.

More in Python

View all
CVE-2025-24016 CRITICAL POC
9.9 Feb 10

Wazuh SIEM platform versions 4.4.0 through 4.9.0 contain an unsafe deserialization vulnerability in the DistributedAPI t

CVE-2025-27520 CRITICAL POC
9.8 Apr 04

BentoML version 1.4.2 and earlier contains an unauthenticated remote code execution vulnerability through insecure deser

CVE-2025-2945 CRITICAL POC
9.9 Apr 03

pgAdmin 4 contains critical remote code execution vulnerabilities in the Query Tool download and Cloud Deployment endpoi

CVE-2013-5093 MEDIUM POC
6.8 Sep 27

The renderLocalView function in render/views.py in graphite-web in Graphite 0.9.5 through 0.9.10 uses the pickle Python

CVE-2025-32375 CRITICAL POC
9.8 Apr 09

BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Rated critica

CVE-2014-0224 HIGH POC
7.4 Jun 05

OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCiph

CVE-2024-21644 HIGH POC
7.5 Jan 08

pyLoad download manager version prior to 0.5.0b3.dev77 exposes the Flask SECRET_KEY through an unauthenticated endpoint.

CVE-2017-9462 HIGH POC
8.8 Jun 06

In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and conse

CVE-2026-39987 CRITICAL POC
9.3 Apr 08

Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/

CVE-2024-21645 MEDIUM POC
5.3 Jan 08

pyLoad is the free and open-source Download Manager written in pure Python. Rated medium severity (CVSS 5.3), this vulne

CVE-2026-33017 CRITICAL POC
9.3 Mar 17

Langflow (a visual LLM pipeline builder) contains a critical unauthenticated code execution vulnerability (CVE-2026-3301

CVE-2026-55255 HIGH POC
8.4 Jun 19

Cross-user flow execution in Langflow (< 1.9.1) lets any authenticated API-key holder run another user's flow by passing

Share

CVE-2026-44557 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy