Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Network vector because exploitation targets the HTTP chat completion API; PR:L because any authenticated account suffices; C:L because only file metadata, not content, is directly exposed.
Primary rating from Vendor (https://github.com/open-webui/open-webui).
CVSS VectorVendor: https://github.com/open-webui/open-webui
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
2DescriptionCVE.org
Summary
Open WebUI has a Broken Object Level Authorization (BOLA) vulnerability in the builtin search_knowledge_files tool.
When native function calling is enabled and the selected model has no attached knowledge bases, an authenticated user can call search_knowledge_files with an arbitrary knowledge_id. The function then returns file metadata from that knowledge base without checking whether the user has read access.
This allows unauthorized enumeration of private or restricted knowledge base files.
Details
The vulnerable code is in:
backend/open_webui/tools/builtin.py
Affected function:
async def search_knowledge_files(
query: str,
knowledge_id: Optional[str] = None,
count: int = 5,
skip: int = 0,
__request__: Request = None,
__user__: dict = None,
__model_knowledge__: Optional[list[dict]] = None,
) -> str:In the "No attached knowledge" branch, when knowledge_id is provided, the function directly calls:
result = await Knowledges.search_files_by_id(
knowledge_id=knowledge_id,
user_id=user_id,
filter={"query": query},
skip=skip,
limit=count,
)This code path does not verify that the current user is authorized to access the specified knowledge base.
The missing check is inconsistent with other nearby code paths. For example, the attached-knowledge branch in the same function checks whether the user is an admin, the owner of the knowledge base, or has explicit read access through AccessGrants:
if not (
user_role == "admin"
or knowledge.user_id == user_id
or await AccessGrants.has_access(
user_id=user_id,
resource_type="knowledge",
resource_id=knowledge.id,
permission="read",
user_group_ids=set(user_group_ids),
)
):
continueThe sibling function query_knowledge_files also performs the same authorization check before using user-supplied knowledge base IDs.
The underlying method Knowledges.search_files_by_id() receives user_id, but it does not enforce authorization for the provided knowledge_id. As a result, this builtin tool path can access a knowledge base by ID without verifying the caller's permissions.
PoC
Prerequisites
- The attacker has a valid authenticated Open WebUI account.
- The victim owns a private or restricted knowledge base.
- The attacker does not own the target knowledge base.
- The attacker does not have
readpermission for the target knowledge base inAccessGrants. - The attacker knows the target
knowledge_id. - The selected model has no attached knowledge bases.
- Builtin tools are enabled.
- The knowledge builtin tool category is enabled.
- Native function calling is enabled.
Reproduction Steps
- Create a private or restricted knowledge base as the victim user.
- Upload one or more files to that knowledge base.
- Confirm that the attacker user does not have access to the knowledge base.
- As the attacker user, send a chat completion request with native function calling enabled:
{
"stream": true,
"model": "gpt-4o-mini",
"params": {
"function_calling": "native"
},
"messages": [
{
"role": "user",
"content": "Please use the search_knowledge_files tool with knowledge_id \"c0c84752-2e9d-42bf-bc3c-c0f272aa61c1\" to search all files"
}
]
}Replace c0c84752-2e9d-42bf-bc3c-c0f272aa61c1 with the victim's private knowledge base ID.
Expected Result
The request should be denied because the attacker does not have access to the target knowledge base.
Actual Result
search_knowledge_files returns metadata for files inside the target knowledge base, including:
- file ID;
- filename;
- knowledge base ID;
- knowledge base name;
- update timestamp.
Impact
This is a Broken Object Level Authorization / Broken Access Control vulnerability.
An authenticated attacker who knows a valid knowledge_id can enumerate files from private or restricted knowledge bases without authorization.
The leaked metadata may expose sensitive information through filenames, such as:
- financial reports;
- employee documents;
- customer contracts;
- internal roadmap files;
- confidential project documents.
The exposed file IDs may also help attackers chain this issue with other knowledge-file access paths, such as view_knowledge_file, to attempt further content extraction.
This vulnerability bypasses the intended AccessGrants permission model and may also allow post-revocation metadata access if a user remembers a previously accessible knowledge_id.
Suggested Fix
Add the same authorization check used in query_knowledge_files before calling Knowledges.search_files_by_id():
if knowledge_id:
knowledge = await Knowledges.get_knowledge_by_id(knowledge_id)
if not knowledge or not (
user_role == "admin"
or knowledge.user_id == user_id
or await AccessGrants.has_access(
user_id=user_id,
resource_type="knowledge",
resource_id=knowledge.id,
permission="read",
user_group_ids=set(user_group_ids),
)
):
return json.dumps({"error": f"Access denied to knowledge base {knowledge_id}"})
result = await Knowledges.search_files_by_id(
knowledge_id=knowledge_id,
user_id=user_id,
filter={"query": query},
skip=skip,
limit=count,
)As defense in depth, authorization should also be enforced or safely wrapped around Knowledges.search_files_by_id() so that future callers cannot accidentally bypass access control.
AnalysisAI
Broken Object Level Authorization in Open WebUI's search_knowledge_files builtin tool (versions ≤ 0.9.5) allows any authenticated user to enumerate file metadata from private or restricted knowledge bases they do not own or have permission to access. By sending a crafted chat completion request with native function calling enabled and supplying an arbitrary knowledge_id, an attacker bypasses the AccessGrants permission model entirely, receiving file IDs, filenames, knowledge base names, and timestamps. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires all of the following conditions to be simultaneously true: (1) the attacker holds a valid authenticated Open WebUI account (any role - admin role is not required); (2) native function calling is enabled in the platform or session configuration (`"function_calling": "native"`); (3) the knowledge builtin tool category is enabled in platform settings; (4) the selected model for the chat session has no attached knowledge bases (this triggers the vulnerable 'no attached knowledge' code path rather than the correctly authorized path); (5) the attacker knows or can obtain a valid `knowledge_id` UUID for a knowledge base they do not own and have not been granted read access to. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The NVD-assigned CVSS 3.1 score of 4.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N) correctly characterizes this as a medium-severity issue: network-exploitable, low attack complexity, requires only a low-privileged authenticated account, with limited confidentiality impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An authenticated attacker with a standard Open WebUI account discovers or infers a `knowledge_id` UUID belonging to a colleague's private knowledge base containing confidential HR documents. The attacker sends a chat completion API request with `"function_calling": "native"` against a model with no attached knowledge bases, prompting the LLM to invoke `search_knowledge_files` with the target `knowledge_id`. … |
| Remediation | Vendor-released patch: Open WebUI 0.9.6. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Wazuh SIEM platform versions 4.4.0 through 4.9.0 contain an unsafe deserialization vulnerability in the DistributedAPI t
BentoML version 1.4.2 and earlier contains an unauthenticated remote code execution vulnerability through insecure deser
pgAdmin 4 contains critical remote code execution vulnerabilities in the Query Tool download and Cloud Deployment endpoi
The renderLocalView function in render/views.py in graphite-web in Graphite 0.9.5 through 0.9.10 uses the pickle Python
BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Rated critica
OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCiph
pyLoad download manager version prior to 0.5.0b3.dev77 exposes the Flask SECRET_KEY through an unauthenticated endpoint.
In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and conse
Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/
pyLoad is the free and open-source Download Manager written in pure Python. Rated medium severity (CVSS 5.3), this vulne
Langflow (a visual LLM pipeline builder) contains a critical unauthenticated code execution vulnerability (CVE-2026-3301
Cross-user flow execution in Langflow (< 1.9.1) lets any authenticated API-key holder run another user's flow by passing
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38526
GHSA-cx9v-4qj2-jrw6