Publish Advisories

advisory-database[bot] · advisory-database[bot] · commit 442abdbe68cb · 2026-05-08T19:53:03.000Z
GHSA-6c2x-gcp3-gp73 GHSA-7r82-qhg4-6wvj GHSA-7rjh-px4v-5w55 GHSA-c7wp-3qh5-55pv GHSA-mqq6-cqcx-38vg
diff --git a/advisories/github-reviewed/2026/05/GHSA-6c2x-gcp3-gp73/GHSA-6c2x-gcp3-gp73.json b/advisories/github-reviewed/2026/05/GHSA-6c2x-gcp3-gp73/GHSA-6c2x-gcp3-gp73.json
@@ -0,0 +1,61 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-6c2x-gcp3-gp73",
+  "modified": "2026-05-08T19:51:33Z",
+  "published": "2026-05-08T19:51:33Z",
+  "aliases": [
+    "CVE-2026-44557"
+  ],
+  "summary": "Open WebUI vulnerable to Global Knowledge Base Enumeration via knowledge-bases Meta-Collection",
+  "details": "# Global Knowledge Base Enumeration via knowledge-bases Meta-Collection\n\n## Affected Component\n\nRetrieval collection access validation:\n- `backend/open_webui/routers/retrieval.py` (lines 2330-2355, `_validate_collection_access`)\n- `backend/open_webui/routers/retrieval.py` (query endpoints, e.g. `POST /query/doc`)\n\n## Affected Versions\n\nCurrent main branch (commit `6fdd19bf1`) and likely all versions with the knowledge base subsystem.\n\n## Description\n\nThe `_validate_collection_access` function uses an incomplete allowlist that only enforces ownership checks for collections matching `user-memory-*` and `file-*` patterns. All other collection names pass through unchecked — including the system-level `knowledge-bases` meta-collection, which stores the IDs, names, and descriptions of every knowledge base on the instance.\n\nAny authenticated user can query this meta-collection directly via the retrieval query endpoints to obtain a global index of all knowledge bases across all users.\n\n```python\n# retrieval.py:2330-2355 — incomplete collection allowlist\ndef _validate_collection_access(user, collection_name, ...):\n    if collection_name.startswith('user-memory-'):\n        # Check user-memory ownership\n        ...\n    elif collection_name.startswith('file-'):\n        # Check file access\n        ...\n    # Everything else (including \"knowledge-bases\") passes through unchecked\n```\n\nThis finding is the enabler for the KB destruction (`process/web`), KB content injection (`process/file`), and RAG vector search access bypass findings — all of which require knowing a target KB's UUID. Without this enumeration, UUIDs are random and practically unguessable; with it, UUIDs across the entire instance are trivially obtained.\n\n## CVSS 3.1 Breakdown\n\n| Metric | Value | Rationale |\n|--------|-------|-----------|\n| Attack Vector | Network (N) | Exploited remotely via API call |\n| Attack Complexity | Low (L) | Single API call |\n| Privileges Required | Low (L) | Requires any authenticated user account |\n| User Interaction | None (N) | No victim interaction required |\n| Scope | Unchanged (U) | Impact within the knowledge base boundary |\n| Confidentiality | Low (L) | Discloses KB metadata (IDs, names, descriptions) across all users |\n| Integrity | None (N) | No direct data modification |\n| Availability | None (N) | No denial of service |\n\n## Attack Scenario\n\n1. Attacker (any authenticated user) sends:\n   ```\n   POST /api/v1/retrieval/query/doc\n   {\n     \"collection_name\": \"knowledge-bases\",\n     \"query\": \"confidential\"\n   }\n   ```\n2. `_validate_collection_access` does not recognize the `knowledge-bases` prefix and lets the request pass.\n3. The vector search returns the most relevant documents from the meta-collection — knowledge base records including their UUIDs, names, and descriptions — across all users on the instance.\n4. Attacker varies the query to enumerate more KBs: `\"project\"`, `\"internal\"`, `\"private\"`, etc.\n5. Attacker now has a full target list for subsequent attacks (destruction, poisoning, content extraction).\n\n## Impact\n\n- **Information disclosure:** KB names and descriptions may reveal sensitive project names, internal initiatives, or user activities\n- **Enabler for other attacks:** Unlocks the following findings by supplying the required target UUIDs:\n  - KB destruction/poisoning via `process/web`\n  - Cross-user content injection via `process/file`\n  - RAG vector search access bypass in `retrieval/utils.py`\n- Transforms these from theoretical (requires UUID guessing) to trivially exploitable (UUIDs enumerable)\n\n## Preconditions\n\n- Attacker must have a valid user account",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "PyPI",
+        "name": "open-webui"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "0.9.0"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "<= 0.8.12"
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-6c2x-gcp3-gp73"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/open-webui/open-webui"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-200",
+      "CWE-862"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-05-08T19:51:33Z",
+    "nvd_published_at": null
+  }
+}
diff --git a/advisories/github-reviewed/2026/05/GHSA-7r82-qhg4-6wvj/GHSA-7r82-qhg4-6wvj.json b/advisories/github-reviewed/2026/05/GHSA-7r82-qhg4-6wvj/GHSA-7r82-qhg4-6wvj.json
@@ -0,0 +1,60 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-7r82-qhg4-6wvj",
+  "modified": "2026-05-08T19:51:14Z",
+  "published": "2026-05-08T19:51:14Z",
+  "aliases": [
+    "CVE-2026-44554"
+  ],
+  "summary": "Open WebUI has Knowledge Base Destruction and RAG Poisoning via Unauthorized Collection Overwrite",
+  "details": "# Knowledge Base Destruction and RAG Poisoning via Unauthorized Collection Overwrite\n\n## Affected Component\n\nRetrieval web/YouTube processing endpoints:\n- `backend/open_webui/routers/retrieval.py` (lines 1810-1837, `process_web`)\n- `backend/open_webui/routers/retrieval.py` (the parallel `process_youtube` endpoint)\n- `backend/open_webui/routers/retrieval.py` (line 1445, `save_docs_to_vector_db` call chain)\n\n## Affected Versions\n\nCurrent main branch (commit `6fdd19bf1`) and likely all versions with RAG/knowledge base functionality.\n\n## Description\n\nThe `POST /api/v1/retrieval/process/web` endpoint accepts a user-supplied `collection_name` and an `overwrite` query parameter (default: `True`). It performs no authorization check on whether the calling user owns or has write access to the target collection. When `overwrite=True`, `save_docs_to_vector_db` calls `VECTOR_DB_CLIENT.delete_collection()` on the target collection before writing new content.\n\nCombined with the knowledge base enumeration vulnerability (separate report), an attacker can trivially discover any user's knowledge base UUID and then destroy or poison it.\n\n```python\n# retrieval.py:1810-1837 — no collection authorization check\n@router.post('/process/web')\nasync def process_web(\n    request: Request,\n    form_data: ProcessUrlForm,\n    user=Depends(get_verified_user),\n    ...\n):\n    # ... fetch and process the URL ...\n    save_docs_to_vector_db(\n        request=request,\n        docs=docs,\n        collection_name=form_data.collection_name,  # attacker-controlled, unchecked\n        overwrite=overwrite,                        # defaults to True\n        ...\n    )\n```\n\n## CVSS 3.1 Breakdown\n\n| Metric | Value | Rationale |\n|--------|-------|-----------|\n| Attack Vector | Network (N) | Exploited remotely via API call |\n| Attack Complexity | Low (L) | Single API call with a known KB UUID |\n| Privileges Required | Low (L) | Requires any authenticated user account |\n| User Interaction | None (N) | No victim interaction required |\n| Scope | Unchanged (U) | Impact within the knowledge base authorization boundary |\n| Confidentiality | None (N) | No data disclosure from this vulnerability directly |\n| Integrity | High (H) | Complete replacement of victim's KB content with attacker-controlled data |\n| Availability | High (H) | Victim's original KB embeddings are deleted; KB effectively destroyed |\n\n## Attack Scenario\n\n1. Attacker discovers victim's KB UUID via the `knowledge-bases` meta-collection (separate finding) or other enumeration.\n2. Attacker sends:\n   ```\n   POST /api/v1/retrieval/process/web?overwrite=true\n   {\n     \"url\": \"https://attacker.com/poison\",\n     \"collection_name\": \"<victim_kb_uuid>\"\n   }\n   ```\n3. The endpoint fetches content from the attacker's URL.\n4. `save_docs_to_vector_db` deletes the entire vector collection belonging to the victim's knowledge base.\n5. The attacker's fetched content is embedded and written as the new collection content.\n6. Victim's RAG queries against their KB now return attacker-controlled content instead of their original documents.\n\n## Impact\n\n- **Data destruction:** Victim's original KB embeddings are permanently deleted from the vector store\n- **RAG poisoning:** Attacker-controlled content replaces legitimate knowledge, causing the LLM to return misleading or malicious answers to the victim\n- **Indirect prompt injection:** Poisoned content can contain crafted prompts that manipulate the victim's LLM behavior when queried\n- **Persistence:** The poisoned content persists until the KB is rebuilt from source files\n\n## Preconditions\n\n- Attacker must have a valid user account\n- Attacker must know the target collection name (KB UUID) — easily obtained via the `knowledge-bases` enumeration finding",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "PyPI",
+        "name": "open-webui"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "0.9.0"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "<= 0.8.12"
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-7r82-qhg4-6wvj"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/open-webui/open-webui"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-862"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-05-08T19:51:14Z",
+    "nvd_published_at": null
+  }
+}
diff --git a/advisories/github-reviewed/2026/05/GHSA-7rjh-px4v-5w55/GHSA-7rjh-px4v-5w55.json b/advisories/github-reviewed/2026/05/GHSA-7rjh-px4v-5w55/GHSA-7rjh-px4v-5w55.json
@@ -0,0 +1,60 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-7rjh-px4v-5w55",
+  "modified": "2026-05-08T19:50:51Z",
+  "published": "2026-05-08T19:50:51Z",
+  "aliases": [
+    "CVE-2026-44558"
+  ],
+  "summary": "Open WebUI's Channel Access Grants Bypass filter_allowed_access_grants",
+  "details": "# Channel Access Grants Bypass filter_allowed_access_grants\n\n## Affected Component\n\nChannel creation and update endpoints:\n- `backend/open_webui/routers/channels.py` (lines 291-340, `create_new_channel`)\n- `backend/open_webui/routers/channels.py` (lines 617-638, `update_channel_by_id`)\n- `backend/open_webui/models/channels.py` (lines 825-826, `set_access_grants` call without filtering)\n\n## Affected Versions\n\nCurrent main branch (commit `6fdd19bf1`) and likely all versions supporting user-created group channels with access grants.\n\n## Description\n\nAll resource routers in Open WebUI (knowledge, models, notes, prompts, tools, skills) call `filter_allowed_access_grants()` before persisting access grants. This function strips `principal_id: \"*\"` wildcard grants from users who lack the relevant `sharing.public_*` permission, and strips individual user grants from users who lack `access_grants.allow_users` permission.\n\nThe channel router does not call `filter_allowed_access_grants` on either create or update paths. A non-admin user who can create group channels (or who owns a channel) can submit arbitrary access grants — including public wildcard grants — and those grants are stored verbatim, bypassing the admin's permission framework.\n\n```python\n# channels.py — access_grants from form data flow directly into persistence\n# No call to filter_allowed_access_grants() anywhere in these paths.\n\n# Compare with knowledge.py / models.py / notes.py / prompts.py / tools.py / skills.py,\n# all of which do:\n#     form_data.access_grants = filter_allowed_access_grants(user, form_data.access_grants)\n# before creating or updating.\n```\n\n## Attack Scenario\n\n1. Admin configures permissions so that regular users do NOT have `sharing.public_channels` — public sharing of channels is intended to be admin-only.\n2. Attacker (a regular user) creates or owns a group channel.\n3. Attacker sends:\n   ```\n   POST /api/v1/channels/\n   {\n     \"name\": \"public-channel\",\n     \"type\": \"group\",\n     \"access_control\": {\n       \"access_grants\": [\n         {\"principal_type\": \"user\", \"principal_id\": \"*\", \"permission\": \"read\"}\n       ]\n     }\n   }\n   ```\n4. `set_access_grants` is called directly without `filter_allowed_access_grants` — the wildcard grant is persisted.\n5. The channel becomes publicly readable to every user on the instance, despite the admin's policy prohibiting public channels for regular users.\n\nThe same attack works via `POST /api/v1/channels/{id}/update` for any channel the attacker owns.\n\n## Impact\n\n- Regular users can bypass the `sharing.public_channels` permission and make channels publicly accessible\n- Regular users can bypass `access_grants.allow_users` to grant individual-user access in environments where only group-based sharing is intended\n- Admin's permission framework for channels is silently ineffective\n- Creates an inconsistency with every other resource type in the codebase, making the security posture harder to reason about\n\n## Preconditions\n\n- Attacker must have an account with the ability to create group channels (default user capability), or ownership of an existing channel\n- Admin must have configured restrictive sharing permissions for regular users (otherwise there's no policy to bypass)",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "PyPI",
+        "name": "open-webui"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "0.9.0"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "<= 0.8.12"
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-7rjh-px4v-5w55"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/open-webui/open-webui"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-863"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-05-08T19:50:51Z",
+    "nvd_published_at": null
+  }
+}
diff --git a/advisories/github-reviewed/2026/05/GHSA-c7wp-3qh5-55pv/GHSA-c7wp-3qh5-55pv.json b/advisories/github-reviewed/2026/05/GHSA-c7wp-3qh5-55pv/GHSA-c7wp-3qh5-55pv.json
@@ -0,0 +1,60 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-c7wp-3qh5-55pv",
+  "modified": "2026-05-08T19:51:48Z",
+  "published": "2026-05-08T19:51:48Z",
+  "aliases": [
+    "CVE-2026-44559"
+  ],
+  "summary": "Open WebUI Missing Access Check on Channel Members Endpoint for Standard Channels",
+  "details": "# Missing Access Check on Channel Members Endpoint for Standard Channels\n\n## Affected Component\n\nChannel members listing endpoint:\n- `backend/open_webui/routers/channels.py` (lines 445-507, `get_channel_members_by_id`)\n\n## Affected Versions\n\nCurrent main branch and likely all versions with the channels feature.\n\n## Description\n\nThe `GET /api/v1/channels/{id}/members` endpoint only checks membership for `group` and `dm` channel types (lines 467-469). For standard channels — including private ones — there is no `channel_has_access` check before returning the member list. Any authenticated user who knows a private channel's UUID can enumerate all users with access to that channel.\n\n```python\n# Line 467-469: only group/dm channels are checked\nif channel.type in ['group', 'dm']:\n    if not Channels.is_user_channel_member(channel.id, user.id, db=db):\n        raise HTTPException(...)\n# Standard channels fall through with NO access check\n```\n\nCompare with other channel endpoints (e.g., `get_channel_messages` at line 688) which correctly call `channel_has_access(user.id, channel, permission='read')` for standard channels.\n\n## CVSS 3.1 Breakdown\n\n| Metric | Value | Rationale |\n|--------|-------|-----------|\n| Attack Vector | Network (N) | Exploited remotely via API call |\n| Attack Complexity | Low (L) | Single API call, no special conditions |\n| Privileges Required | Low (L) | Requires a valid user account |\n| User Interaction | None (N) | No victim interaction required |\n| Scope | Unchanged (U) | Impact is within the channel authorization boundary |\n| Confidentiality | Low (L) | Leaks user identities and details for a private channel |\n| Integrity | None (N) | No data modification |\n| Availability | None (N) | No denial of service |\n\n## Attack Scenario\n\n1. Attacker obtains a private standard channel's UUID (via logs, browser history, URL observation, or other API responses).\n2. Attacker calls `GET /api/v1/channels/{id}/members`.\n3. The server returns the full list of permitted users including their IDs, names, emails, roles, and profile images.\n4. The attacker has no access to the channel's messages (those endpoints check access correctly), but now knows exactly who does.\n\n## Impact\n\n- Leaks the identity and personal details of every user with access to a private channel\n- Reveals organizational structure and project assignments\n- Enables targeted social engineering against channel members\n\n## Preconditions\n\n- Channels feature must be enabled (disabled by default)\n- Attacker must know the channel UUID (not guessable, but obtainable through indirect means)",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "PyPI",
+        "name": "open-webui"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "0.9.0"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "<= 0.8.12"
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-c7wp-3qh5-55pv"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/open-webui/open-webui"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-862"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-05-08T19:51:48Z",
+    "nvd_published_at": null
+  }
+}
diff --git a/advisories/github-reviewed/2026/05/GHSA-mqq6-cqcx-38vg/GHSA-mqq6-cqcx-38vg.json b/advisories/github-reviewed/2026/05/GHSA-mqq6-cqcx-38vg/GHSA-mqq6-cqcx-38vg.json
