What is the CVSS score of CVE-2026-45397?

CVE-2026-45397 has a CVSS 3.1 base score of 5.3 (Medium). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N. EPSS exploitation probability: 0.0%.

Is there a patch available for CVE-2026-45397?

Yes, a patch is available for CVE-2026-45397. Update the affected software to the latest version immediately.

Open WebUI CVE-2026-45397

EUVD-2026-30629 MEDIUM

Missing Authentication for Critical Function (CWE-306)

2026-05-14 https://github.com/open-webui/open-webui

GHSA-65pg-qhhw-mxwg

Authentication Bypass Python Information Disclosure Microsoft

5.3

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

None

Availability

None

Lifecycle Timeline

Source Code Evidence Fetched

May 14, 2026 - 21:51 vuln.today

Analysis Generated

May 14, 2026 - 21:51 vuln.today

CVE Published

May 14, 2026 - 20:26 nvd

MEDIUM 5.3

DescriptionNVD

Vulnerability Type: Information Disclosure / Missing Authentication Severity: Medium Component: backend/open_webui/routers/retrieval.py - get_status() (GET /) Affected Endpoint: GET /api/v1/retrieval/ Affected Version: Open WebUI main branch - confirmed unpatched through v0.9.2 Authentication Required: None - internet-facing with zero credentials CVSSv3.1 Score: 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

---

Summary

GET /api/v1/retrieval/ returns live RAG pipeline configuration to any unauthenticated HTTP client. No Authorization header, cookie, or API key is required. Every adjacent endpoint on the same router (/embedding, /config) is correctly guarded by get_admin_user making this a targeted omission.

---

Root Cause

backend/open_webui/routers/retrieval.py:262

python

@router.get('/')
async def get_status(request: Request):
# ← no Depends(get_verified_user)
    return {
        'status': True,
        'CHUNK_SIZE': request.app.state.config.CHUNK_SIZE,
        'CHUNK_OVERLAP': request.app.state.config.CHUNK_OVERLAP,
        'RAG_TEMPLATE': request.app.state.config.RAG_TEMPLATE,
        'RAG_EMBEDDING_ENGINE': request.app.state.config.RAG_EMBEDDING_ENGINE,
        'RAG_EMBEDDING_MODEL': request.app.state.config.RAG_EMBEDDING_MODEL,
        'RAG_RERANKING_MODEL': request.app.state.config.RAG_RERANKING_MODEL,
        'RAG_EMBEDDING_BATCH_SIZE': request.app.state.config.RAG_EMBEDDING_BATCH_SIZE,
        'ENABLE_ASYNC_EMBEDDING': request.app.state.config.ENABLE_ASYNC_EMBEDDING,
        'RAG_EMBEDDING_CONCURRENT_REQUESTS': request.app.state.config.RAG_EMBEDDING_CONCURRENT_REQUESTS,
    }

Compare with every adjacent endpoint on the same router:

python

@router.get('/embedding')
async def get_embedding_config(request: Request, user=Depends(get_admin_user)):
# ✅

@router.get('/config')
async def get_rag_config(request: Request, user=Depends(get_admin_user)):
# ✅

---

Proof Of Concept - No Token Required

bash

curl -s http://TARGET/api/v1/retrieval/

json

{
  "status": true,
  "CHUNK_SIZE": 1000,
  "CHUNK_OVERLAP": 100,
  "RAG_TEMPLATE": "
### Task:\nRespond to the user query using the provided context...\n<context>\n{{CONTEXT}}\n</context>",
  "RAG_EMBEDDING_ENGINE": "",
  "RAG_EMBEDDING_MODEL": "sentence-transformers/all-MiniLM-L6-v2",
  "RAG_RERANKING_MODEL": "",
  "RAG_EMBEDDING_BATCH_SIZE": 1,
  "ENABLE_ASYNC_EMBEDDING": true,
  "RAG_EMBEDDING_CONCURRENT_REQUESTS": 0
}

---

Disclosed Information and Its Value to an Attacker

Field	What it reveals
`RAG_EMBEDDING_ENGINE`	Backend type (OpenAI, Ollama, Azure, etc.)
`RAG_EMBEDDING_MODEL`	Exact model name - reveals embedding model
`RAG_RERANKING_MODEL`	Reranker in use - reveals reranker
`RAG_TEMPLATE`	RAG template - exposes the RAG template
`CHUNK_SIZE` / `CHUNK_OVERLAP`	Chunking parameters - enables exact reconstruction of how documents are split and retrieved

---

Attack Scenario

Attacker sends one unauthenticated HTTP GET to /api/v1/retrieval/.
Response reveals the embedding model and chunking parameters.
Attacker uses the exact chunk size/overlap to craft RAG poisoning payloads that are guaranteed to be retrieved.

---

Impact

RAG template disclosure
Infrastructure fingerprinting - embedding engine and model name reveal the AI stack to an internet scanner
RAG attack surface mapping - chunk parameters enable precise calculation of retrieval boundaries
Zero-effort recon - no brute force, no credentials, no rate-limit concern. Single request from any IP.

---

Recommended Fix

Add get_verified_user dependency (or get_admin_user for stricter control):

python

# BEFORE (vulnerable)
@router.get('/')
async def get_status(request: Request):
# AFTER
@router.get('/')
async def get_status(request: Request, user=Depends(get_verified_user)):

AnalysisAI

Open WebUI's GET /api/v1/retrieval/ endpoint discloses RAG pipeline configuration including embedding models, chunking parameters, and RAG templates to unauthenticated attackers with a single HTTP request. The vulnerability affects v0.9.2 and earlier, where this endpoint lacks authentication guards present on all adjacent endpoints, enabling reconnaissance for RAG poisoning attacks and infrastructure fingerprinting without requiring credentials, authentication tokens, or user interaction.

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory