Description
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, the _validate_collection_access function uses an incomplete allowlist that only enforces ownership checks for collections matching user-memory-* and file-* patterns. All other collection names pass through unchecked — including the system-level knowledge-bases meta-collection, which stores the IDs, names, and descriptions of every knowledge base on the instance. Any authenticated user can query this meta-collection directly via the retrieval query endpoints to obtain a global index of all knowledge bases across all users. This vulnerability is fixed in 0.9.0.
Published: 2026-05-15
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw in Open WebUI’s _validate_collection_access function allows any authenticated user to read the system’s knowledge‑bases meta‑collection. This collection contains the identifiers, names, and descriptions of every knowledge base on the instance, effectively revealing a global inventory of all users’ data. The weakness is a classic access‑control bypass (CWE‑863) and does not grant code execution or privilege escalation, but it exposes sensitive information that could aid further attacks.

Affected Systems

The vulnerability affects the open-webui:open-webui product, specifically all releases prior to 0.9.0 of the self‑hosted AI platform. Those deploying older versions are susceptible to enumeration of all knowledge bases across all users.

Risk and Exploitability

With a CVSS score of 4.3 the flaw is considered medium severity. EPSS data is unavailable, and the vulnerability is not listed in the CISA KEV catalog, suggesting that widespread exploitation is not currently reported. Because the attack requires an authenticated session, an attacker must first gain valid credentials; once authenticated, the attacker can simply query retrieval endpoints to enumerate all knowledge bases, potentially aiding social‑engineering or phishing campaigns.

Generated by OpenCVE AI on May 15, 2026 at 21:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Open WebUI to version 0.9.0 or later, where the allowlist has been corrected
  • If an immediate upgrade is not feasible, restrict access to the meta‑collection retrieval endpoints or disable that endpoint entirely
  • Review authentication and role‑based access controls to ensure only authorized users can query retrieval endpoints
  • Consider monitoring API usage for unusual enumeration patterns and investigate suspicious activity

Generated by OpenCVE AI on May 15, 2026 at 21:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-6c2x-gcp3-gp73 Open WebUI vulnerable to Global Knowledge Base Enumeration via knowledge-bases Meta-Collection
History

Fri, 15 May 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Open-webui
Open-webui open-webui
Vendors & Products Open-webui
Open-webui open-webui

Fri, 15 May 2026 20:15:00 +0000

Type Values Removed Values Added
Description Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, the _validate_collection_access function uses an incomplete allowlist that only enforces ownership checks for collections matching user-memory-* and file-* patterns. All other collection names pass through unchecked — including the system-level knowledge-bases meta-collection, which stores the IDs, names, and descriptions of every knowledge base on the instance. Any authenticated user can query this meta-collection directly via the retrieval query endpoints to obtain a global index of all knowledge bases across all users. This vulnerability is fixed in 0.9.0.
Title Open WebUI: Global Knowledge Base Enumeration via knowledge-bases Meta-Collection
Weaknesses CWE-863
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Open-webui Open-webui
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-15T19:44:49.651Z

Reserved: 2026-05-06T20:59:00.594Z

Link: CVE-2026-44557

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-15T20:16:47.227

Modified: 2026-05-15T20:16:47.227

Link: CVE-2026-44557

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-15T21:30:08Z

Weaknesses