Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
3DescriptionGitHub Advisory
Global Knowledge Base Enumeration via knowledge-bases Meta-Collection
Affected Component
Retrieval collection access validation:
backend/open_webui/routers/retrieval.py(lines 2330-2355,_validate_collection_access)backend/open_webui/routers/retrieval.py(query endpoints, e.g.POST /query/doc)
Affected Versions
Current main branch (commit 6fdd19bf1) and likely all versions with the knowledge base subsystem.
Description
The _validate_collection_access function uses an incomplete allowlist that only enforces ownership checks for collections matching user-memory-* and file-* patterns. All other collection names pass through unchecked - including the system-level knowledge-bases meta-collection, which stores the IDs, names, and descriptions of every knowledge base on the instance.
Any authenticated user can query this meta-collection directly via the retrieval query endpoints to obtain a global index of all knowledge bases across all users.
# retrieval.py:2330-2355 - incomplete collection allowlist
def _validate_collection_access(user, collection_name, ...):
if collection_name.startswith('user-memory-'):
# Check user-memory ownership
...
elif collection_name.startswith('file-'):
# Check file access
...
# Everything else (including "knowledge-bases") passes through uncheckedThis finding is the enabler for the KB destruction (process/web), KB content injection (process/file), and RAG vector search access bypass findings - all of which require knowing a target KB's UUID. Without this enumeration, UUIDs are random and practically unguessable; with it, UUIDs across the entire instance are trivially obtained.
CVSS 3.1 Breakdown
| Metric | Value | Rationale |
|---|---|---|
| Attack Vector | Network (N) | Exploited remotely via API call |
| Attack Complexity | Low (L) | Single API call |
| Privileges Required | Low (L) | Requires any authenticated user account |
| User Interaction | None (N) | No victim interaction required |
| Scope | Unchanged (U) | Impact within the knowledge base boundary |
| Confidentiality | Low (L) | Discloses KB metadata (IDs, names, descriptions) across all users |
| Integrity | None (N) | No direct data modification |
| Availability | None (N) | No denial of service |
Attack Scenario
- Attacker (any authenticated user) sends:
POST /api/v1/retrieval/query/doc
{
"collection_name": "knowledge-bases",
"query": "confidential"
}_validate_collection_accessdoes not recognize theknowledge-basesprefix and lets the request pass.- The vector search returns the most relevant documents from the meta-collection - knowledge base records including their UUIDs, names, and descriptions - across all users on the instance.
- Attacker varies the query to enumerate more KBs:
"project","internal","private", etc. - Attacker now has a full target list for subsequent attacks (destruction, poisoning, content extraction).
Impact
- Information disclosure: KB names and descriptions may reveal sensitive project names, internal initiatives, or user activities
- Enabler for other attacks: Unlocks the following findings by supplying the required target UUIDs:
- KB destruction/poisoning via
process/web - Cross-user content injection via
process/file - RAG vector search access bypass in
retrieval/utils.py - Transforms these from theoretical (requires UUID guessing) to trivially exploitable (UUIDs enumerable)
Preconditions
- Attacker must have a valid user account
AnalysisAI
Open WebUI versions up to 0.8.12 allow authenticated users to enumerate all knowledge bases across the instance via an incomplete access control allowlist in the retrieval collection validation function. The _validate_collection_access function only enforces ownership checks for collections matching user-memory-* and file-* patterns, allowing any authenticated user to directly query the system-level knowledge-bases meta-collection and retrieve the IDs, names, and descriptions of every knowledge base regardless of ownership. This information disclosure vulnerability serves as an enabler for subsequent attacks including knowledge base destruction and content injection, transforming these attacks from theoretically exploitable (requiring random UUID guessing) to trivially exploitable (UUIDs enumerable). CVSS score 4.3 (network-accessible, low privilege required, low confidentiality impact). Patched in version 0.9.0.
Technical ContextAI
Open WebUI is a web-based interface for large language models that includes a retrieval-augmented generation (RAG) system with knowledge base functionality. The vulnerability exists in the _validate_collection_access function located in backend/open_webui/routers/retrieval.py (lines 2330-2355), which is responsible for validating user access to collections before permitting queries. The function implements an incomplete allowlist that uses string pattern matching (startswith()) to enforce ownership checks only for collections named user-memory-* and file-*. Collections not matching these patterns, including the system-level knowledge-bases meta-collection, bypass all access validation and are queryable by any authenticated user. The knowledge-bases collection is a special system collection that stores metadata records for all knowledge bases on the instance, including their UUIDs, names, and descriptions. Attackers exploit this via the POST /api/v1/retrieval/query/doc endpoint or other retrieval query endpoints. The root cause is a CWE-200 information exposure vulnerability stemming from incomplete access control logic (CWE-200 covers information exposure to an unauthorized actor, often due to missing or inadequate access restrictions).
RemediationAI
Upgrade Open WebUI to version 0.9.0 or later, which fixes the incomplete access control allowlist in the _validate_collection_access function. If immediate upgrade is not possible, implement network-level access controls to restrict access to the /api/v1/retrieval/query/doc and related retrieval endpoints to trusted users or networks only. Alternatively, disable or isolate the knowledge base feature entirely if not actively in use, though this may impact RAG functionality. Additionally, audit logs for queries to the knowledge-bases collection name to identify any unauthorized enumeration attempts. Review all knowledge bases on affected instances to identify those containing sensitive metadata that may have been exposed. The upstream fix (committed to main branch and released in 0.9.0) replaces the incomplete allowlist with a default-deny access control model that requires explicit authorization for collection access, not pattern-matching exceptions. No vendor-released patch or workaround documentation other than upgrade has been referenced, so version upgrade is the definitive remediation path.
Wazuh SIEM platform versions 4.4.0 through 4.9.0 contain an unsafe deserialization vulnerability in the DistributedAPI t
BentoML version 1.4.2 and earlier contains an unauthenticated remote code execution vulnerability through insecure deser
pgAdmin 4 contains critical remote code execution vulnerabilities in the Query Tool download and Cloud Deployment endpoi
The renderLocalView function in render/views.py in graphite-web in Graphite 0.9.5 through 0.9.10 uses the pickle Python
BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Rated critica
OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCiph
pyLoad download manager version prior to 0.5.0b3.dev77 exposes the Flask SECRET_KEY through an unauthenticated endpoint.
In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and conse
Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/
pyLoad is the free and open-source Download Manager written in pure Python. Rated medium severity (CVSS 5.3), this vulne
Langflow (a visual LLM pipeline builder) contains a critical unauthenticated code execution vulnerability (CVE-2026-3301
Cross-user flow execution in Langflow (< 1.9.1) lets any authenticated API-key holder run another user's flow by passing
Same weakness CWE-200 – Information Exposure
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30620
GHSA-6c2x-gcp3-gp73