Description
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.6, Open WebUI has a Broken Object Level Authorization (BOLA) vulnerability in the builtin search_knowledge_files tool. When native function calling is enabled and the selected model has no attached knowledge bases, an authenticated user can call search_knowledge_files with an arbitrary knowledge_id. The function then returns file metadata from that knowledge base without checking whether the user has read access. This allows unauthorized enumeration of private or restricted knowledge base files. This vulnerability is fixed in 0.9.6.
Published: 2026-06-23
Score: 4.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Open WebUI is a self‑hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.6 it has a Broken Object Level Authorization (BOLA) vulnerability in its builtin search_knowledge_files tool. When native function calling is enabled and the selected model has no attached knowledge bases, an authenticated user can call search_knowledge_files with an arbitrary knowledge_id. The function then returns file metadata from that knowledge base without checking whether the user has read access, allowing unauthorized enumeration of private or restricted knowledge base files. This vulnerability is fixed in version 0.9.6. The flaw is classified as CWE-639.

Affected Systems

Open WebUI versions earlier than 0.9.6, specifically 0.9.5 and earlier.

Risk and Exploitability

With a CVSS score of 4.3, the vulnerability is rated as low severity. The EPSS is not available and the vulnerability is not listed in CISA KEV. Exploitation requires a valid authenticated session; once inside, attackers can enumerate files in knowledge bases that lack proper access controls. No direct code execution or denial of service is exposed, but the disclosure of file metadata could aid broader reconnaissance or lead to identifying sensitive content within the knowledge base.

Generated by OpenCVE AI on June 24, 2026 at 10:56 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Open WebUI to version 0.9.6 or later, which includes the fix for the broken authorization.
  • Disable the native function‑calling feature if not required by your deployment, to reduce the attack surface.
  • Ensure that only authorized users have access to sensitive knowledge bases, and review the current models’ knowledge base assignments to remove any that inadvertently expose private data.

Generated by OpenCVE AI on June 24, 2026 at 10:56 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-cx9v-4qj2-jrw6 Open WebUI BOLA: `search_knowledge_files` Allows Unauthorized Knowledge Base File Enumeration
History

Tue, 23 Jun 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Open-webui
Open-webui open-webui
Vendors & Products Open-webui
Open-webui open-webui

Tue, 23 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 23 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Description Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.6, Open WebUI has a Broken Object Level Authorization (BOLA) vulnerability in the builtin search_knowledge_files tool. When native function calling is enabled and the selected model has no attached knowledge bases, an authenticated user can call search_knowledge_files with an arbitrary knowledge_id. The function then returns file metadata from that knowledge base without checking whether the user has read access. This allows unauthorized enumeration of private or restricted knowledge base files. This vulnerability is fixed in 0.9.6.
Title Open WebUI: Open WebUI BOLA: `search_knowledge_files` Allows Unauthorized Knowledge Base File Enumeration
Weaknesses CWE-639
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Open-webui Open-webui
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-23T17:39:38.524Z

Reserved: 2026-06-11T16:34:11.636Z

Link: CVE-2026-54016

cve-icon Vulnrichment

Updated: 2026-06-23T17:39:27.983Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T11:00:13Z

Weaknesses
  • CWE-639

    Authorization Bypass Through User-Controlled Key