Description
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.5, _validate_collection_access() checks the user-memory-* and file-* collection name prefixes but does not check knowledge base collections, which use raw UUIDs as collection names. Any authenticated user who knows a private knowledge base UUID can read its content through the retrieval query endpoints, even though the knowledge API correctly denies that user access. The same gap affects the retrieval write endpoints (/process/text, /process/file, /process/files/batch, /process/web, /process/youtube), allowing an attacker to inject content into or overwrite another user's knowledge base. This vulnerability is fixed in 0.9.5.
Published: 2026-05-15
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Open WebUI permitted any authenticated user to retrieve and alter private knowledge bases through its retrieval APIs. The vulnerability, an IDOR flaw, bypassed the platform’s collection‑level access controls by using raw UUIDs that were not checked by the validation routine. As a result, an attacker could read, inject, or overwrite another user’s private data, compromising both confidentiality and integrity of the knowledge bases. The flaw stems from improper validation of collection names and is documented as CWE‑639.

Affected Systems

The issue affects all instances of the Open WebUI platform running versions prior to 0.9.5. Users who have not upgraded to v0.9.5 or later are at risk, regardless of other configuration settings. The product is branded as open-webui:open-webui; no specific sub‑products are listed.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity. Exploitation requires valid credentials and knowledge of a target UUID, so the attack vector is an authenticated user. While the EPSS score is currently unavailable, the high CVSS and known confirmation of IDOR in public advisories suggest a non‑negligible risk. This vulnerability is not listed in the CISA KEV catalog, but the potential for internal data leakage warrants immediate action.

Generated by OpenCVE AI on May 15, 2026 at 22:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Open WebUI v0.9.5 or later to apply the patch that restores collection‑level access control for knowledge bases.
  • Verify that the platform is configured to refuse access to collection names that are not prefixed with allowed identifiers, ensuring that UUID‑based knowledge bases are protected.
  • Implement monitoring to detect unauthorized API calls to retrieval endpoints and enforce least‑privilege access for authenticated users, thereby limiting the impact of any future IDOR attempts.

Generated by OpenCVE AI on May 15, 2026 at 22:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-4g37-7p2c-38r9 Open WebUI Vulnerable to IDOR: Retrieval API Bypasses Knowledge Base Access Controls
History

Fri, 15 May 2026 22:45:00 +0000

Type Values Removed Values Added
First Time appeared Open-webui
Open-webui open-webui
Vendors & Products Open-webui
Open-webui open-webui

Fri, 15 May 2026 21:00:00 +0000

Type Values Removed Values Added
Description Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.5, _validate_collection_access() checks the user-memory-* and file-* collection name prefixes but does not check knowledge base collections, which use raw UUIDs as collection names. Any authenticated user who knows a private knowledge base UUID can read its content through the retrieval query endpoints, even though the knowledge API correctly denies that user access. The same gap affects the retrieval write endpoints (/process/text, /process/file, /process/files/batch, /process/web, /process/youtube), allowing an attacker to inject content into or overwrite another user's knowledge base. This vulnerability is fixed in 0.9.5.
Title Open WebUI: IDOR - Retrieval API Bypasses Knowledge Base Access Controls
Weaknesses CWE-639
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Open-webui Open-webui
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-15T20:35:35.482Z

Reserved: 2026-05-12T01:48:40.451Z

Link: CVE-2026-45398

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-15T21:16:37.863

Modified: 2026-05-15T21:16:37.863

Link: CVE-2026-45398

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-15T23:00:14Z

Weaknesses