Skip to content

Open WebUI vulnerable to Global Knowledge Base Enumeration via knowledge-bases Meta-Collection

Moderate severity GitHub Reviewed Published May 5, 2026 in open-webui/open-webui • Updated May 15, 2026

Package

pip open-webui (pip)

Affected versions

<= 0.8.12

Patched versions

0.9.0

Description

Global Knowledge Base Enumeration via knowledge-bases Meta-Collection

Affected Component

Retrieval collection access validation:

  • backend/open_webui/routers/retrieval.py (lines 2330-2355, _validate_collection_access)
  • backend/open_webui/routers/retrieval.py (query endpoints, e.g. POST /query/doc)

Affected Versions

Current main branch (commit 6fdd19bf1) and likely all versions with the knowledge base subsystem.

Description

The _validate_collection_access function uses an incomplete allowlist that only enforces ownership checks for collections matching user-memory-* and file-* patterns. All other collection names pass through unchecked — including the system-level knowledge-bases meta-collection, which stores the IDs, names, and descriptions of every knowledge base on the instance.

Any authenticated user can query this meta-collection directly via the retrieval query endpoints to obtain a global index of all knowledge bases across all users.

# retrieval.py:2330-2355 — incomplete collection allowlist
def _validate_collection_access(user, collection_name, ...):
    if collection_name.startswith('user-memory-'):
        # Check user-memory ownership
        ...
    elif collection_name.startswith('file-'):
        # Check file access
        ...
    # Everything else (including "knowledge-bases") passes through unchecked

This finding is the enabler for the KB destruction (process/web), KB content injection (process/file), and RAG vector search access bypass findings — all of which require knowing a target KB's UUID. Without this enumeration, UUIDs are random and practically unguessable; with it, UUIDs across the entire instance are trivially obtained.

CVSS 3.1 Breakdown

Metric Value Rationale
Attack Vector Network (N) Exploited remotely via API call
Attack Complexity Low (L) Single API call
Privileges Required Low (L) Requires any authenticated user account
User Interaction None (N) No victim interaction required
Scope Unchanged (U) Impact within the knowledge base boundary
Confidentiality Low (L) Discloses KB metadata (IDs, names, descriptions) across all users
Integrity None (N) No direct data modification
Availability None (N) No denial of service

Attack Scenario

  1. Attacker (any authenticated user) sends: 
    POST /api/v1/retrieval/query/doc
{
  "collection_name": "knowledge-bases",
  "query": "confidential"
}
  2. _validate_collection_access does not recognize the knowledge-bases prefix and lets the request pass.
  3. The vector search returns the most relevant documents from the meta-collection — knowledge base records including their UUIDs, names, and descriptions — across all users on the instance.
  4. Attacker varies the query to enumerate more KBs: "project", "internal", "private", etc.
  5. Attacker now has a full target list for subsequent attacks (destruction, poisoning, content extraction).

Impact

  • Information disclosure: KB names and descriptions may reveal sensitive project names, internal initiatives, or user activities
  • Enabler for other attacks: Unlocks the following findings by supplying the required target UUIDs:
    • KB destruction/poisoning via process/web
    • Cross-user content injection via process/file
    • RAG vector search access bypass in retrieval/utils.py
  • Transforms these from theoretical (requires UUID guessing) to trivially exploitable (UUIDs enumerable)

Preconditions

  • Attacker must have a valid user account

References

@doge-woof doge-woof published to open-webui/open-webui May 5, 2026
Published to the GitHub Advisory Database May 8, 2026
Reviewed May 8, 2026
Published by the National Vulnerability Database May 15, 2026
Last updated May 15, 2026

Severity

Moderate

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
Low
User interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

EPSS score

Weaknesses

Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. Learn more on MITRE.

Missing Authorization

The product does not perform an authorization check when an actor attempts to access a resource or perform an action. Learn more on MITRE.

Incorrect Authorization

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. Learn more on MITRE.

CVE ID

CVE-2026-44557

GHSA ID

GHSA-6c2x-gcp3-gp73

Source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.