Description
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, the type: "file" (non-full-context), type: "text" with collection_name, and bare collection_name/collection_names paths in the get_sources_from_items function perform vector store queries without any authorization check, allowing users to extract content from files and knowledge bases they do not have access to. This vulnerability is fixed in 0.9.0.
Published: 2026-05-15
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability in Open WebUI allows an attacker to perform vector store queries without any authorization checks. By submitting requests with type "file" or "text" and specifying a collection name, an adversary can extract content from files and knowledge bases that they should not be able to read. This results in the disclosure of potentially sensitive internal data and constitutes an improper privilege escalation flaw (CWE-862).

Affected Systems

All Open WebUI installations running a version earlier than 0.9.0 are affected. The vendor is open-webui. The vulnerability was resolved in version 0.9.0, which introduced proper authorization for vector query endpoints.

Risk and Exploitability

The CVSS score of 6.5 indicates a moderate severity. The EPSS score is not available, and the vulnerability is not listed in CISA’s KEV catalog. The likely attack vector is through the web interface or API that processes vector search requests; an authenticated or unauthenticated user can trigger the vulnerable get_sources_from_items function to retrieve protected content. Since the issue is a lack of authorization checks, the exploitation requires network access to the Open WebUI instance but does not demand further system privileges.

Generated by OpenCVE AI on May 15, 2026 at 21:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Open WebUI to version 0.9.0 or later, which implements authorization checks on vector queries.
  • Reconfigure the application to disable anonymous access and enforce authentication on all API routes, including the vector query endpoints.
  • Audit access logs for unexpected vector query activity and ensure only authorized users can invoke the get_sources_from_items function.

Generated by OpenCVE AI on May 15, 2026 at 21:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-h36f-rqpx-j5wx Open WebUI has Unauthorized File and Knowledge Base Content Access via RAG Vector Search
History

Fri, 15 May 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Open-webui
Open-webui open-webui
Vendors & Products Open-webui
Open-webui open-webui

Fri, 15 May 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 15 May 2026 20:15:00 +0000

Type Values Removed Values Added
Description Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, the type: "file" (non-full-context), type: "text" with collection_name, and bare collection_name/collection_names paths in the get_sources_from_items function perform vector store queries without any authorization check, allowing users to extract content from files and knowledge bases they do not have access to. This vulnerability is fixed in 0.9.0.
Title Open WebUI: Unauthorized File and Knowledge Base Content Access via RAG Vector Search
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Open-webui Open-webui
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-15T21:09:57.441Z

Reserved: 2026-05-06T20:59:00.595Z

Link: CVE-2026-44560

cve-icon Vulnrichment

Updated: 2026-05-15T21:09:53.072Z

cve-icon NVD

Status : Received

Published: 2026-05-15T20:16:47.613

Modified: 2026-05-15T20:16:47.613

Link: CVE-2026-44560

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-15T21:30:08Z

Weaknesses