Open WebUI is a self‑hosted AI platform that operates offline. Prior to version 0.9.6, the platform added collection‑level ACL checks, but those checks can still be bypassed when Milvus multitenancy mode is enabled. The ACL permits unknown non‑KB collection names as legacy/ephemeral collections. In multitenancy mode, the user‑controlled collection name becomes a resource_id and is interpolated into a Milvus expression without escaping because the patch is incomplete, stemming from CVE-2026-44560. An attacker can supply a crafted collection name that injects a malicious sub‑expression, thereby bypassing ACL enforcement and allowing unauthorized access or modification of data. This vulnerability is fixed in version 0.9.6.

Open WebUI installations that run with Milvus multitenancy mode enabled are vulnerable. The CVE data does not specify exact affected versions.

The risk associated with this vulnerability is moderate. The CVSS score of 6.5 indicates a moderate severity, and the vulnerability was not listed in CISA KEV, suggesting that there are no widely documented exploitation attempts as of the last update. The attack vector is likely via a constructed collection name containing malicious Milvus expression fragments passed to the Open WebUI endpoint. By exploiting the lack of escaping, an attacker can inject arbitrary expressions that will be executed on the database, allowing them to read, modify, or delete data within collections they would normally be denied access to in a multitenancy configuration. Although the threat is mitigated by disabling multitenancy or upgrading to 0.9.6, the vulnerability remains a risk in environments that cannot apply the patch immediately.