AI Threat Alert

CVE-2026-44557: open-webui: auth bypass exposes all knowledge base metadata

GHSA-6c2x-gcp3-gp73 MEDIUM
Published May 8, 2026
CISO Take

Open WebUI's retrieval engine fails to validate access to the system-level `knowledge-bases` meta-collection, allowing any authenticated user to enumerate every knowledge base on the instance — including names, descriptions, and UUIDs — via a single API call. This is categorized as medium (CVSS 4.3), but it functions as a precondition multiplier: three companion vulnerabilities in the same package (KB destruction, cross-user content injection, and RAG vector search bypass) all require a valid UUID that is otherwise random and unguessable; this enumeration flaw makes those attacks trivially executable. Organizations running shared Open WebUI instances — particularly those storing internal documentation, compliance materials, or proprietary data in knowledge bases — should treat this as high-priority despite the headline score. Patch to open-webui 0.9.0 immediately; until patched, restrict retrieval API endpoints to known-safe network segments and audit logs for POST requests to `/api/v1/retrieval/query/doc` with `collection_name: knowledge-bases`.

Sources: GitHub Advisory NVD ATLAS

What is the risk?

Nominal CVSS is 4.3 (medium), but effective operational risk is higher in any multi-user Open WebUI deployment. Exploitation requires only a valid user account and a single HTTP call — sophistication is trivial. The vulnerability's primary danger is its role as an enabler: without UUID enumeration, follow-on attacks (KB destruction, poisoning, content extraction) require guessing 128-bit random UUIDs, which is computationally infeasible. With this flaw, those attacks become immediately practical. The 52 other CVEs in the same package suggest a broader authorization posture problem. No public exploit or KEV listing at this time, but the attack pattern is straightforward enough that weaponization requires no AI/ML expertise.

How does the attack unfold?

Initial Access
Attacker authenticates with any valid low-privilege user account on the target Open WebUI instance.
AML.T0012
API Exploitation
Attacker sends POST requests to `/api/v1/retrieval/query/doc` with `collection_name: 'knowledge-bases'`; the incomplete `_validate_collection_access` allowlist passes the request unchecked.
AML.T0049
KB Enumeration
Attacker iterates queries across common terms to harvest UUIDs, names, and descriptions of all knowledge bases across all users on the instance.
AML.T0064
Follow-on Attack Enablement
Attacker uses harvested UUIDs to execute chained attacks: KB destruction via `process/web`, cross-user content injection via `process/file`, or full RAG content extraction via the vector search bypass.
AML.T0085.000

What systems are affected?

Package Ecosystem Vulnerable Range Patched
Open WebUI pip <= 0.8.12 0.9.0
142.4K Pushed 5d ago 77% patched ~5d to patch Full package profile →

Do you use Open WebUI? You're affected.

How severe is it?

CVSS 3.1
4.3 / 10
EPSS
0.2%
chance of exploitation in 30 days
Higher than 12% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
No known exploitation
Sophistication
Trivial

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR Low
UI None
S Unchanged
C Low
I None
A None

What should I do?

6 steps

  1. Patch immediately

    Upgrade to open-webui >= 0.9.0 which fixes _validate_collection_access to properly restrict access to the knowledge-bases meta-collection.

  2. Detect exploitation

    Search access logs for POST /api/v1/retrieval/query/doc requests where collection_name is knowledge-bases or any value not matching user-memory-* or file-* patterns — these indicate either exploitation or reconnaissance.

  3. Network segmentation

    If patching is delayed, restrict the retrieval API endpoints (/api/v1/retrieval/query/*) to internal networks or specific trusted principals.

  4. Audit KB contents

    Review knowledge base names and descriptions for sensitive information that should not be exposed to all authenticated users.

  5. Review companion vulnerabilities

    Assess exposure to the related KB destruction, content injection, and RAG bypass findings — patch priority should reflect their combined chain risk.

  6. Rotate or rename UUIDs

    If compromise is suspected, consider that enumerated UUIDs may already be in attacker hands; assess whether follow-on attacks have been attempted.

What does CISA's SSVC say?

Decision Track
Exploitation none
Automatable No
Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Auth Bypass Data Extraction Privacy Violation RAG Framework API AML.T0012 AML.T0036 AML.T0049 AML.T0064 AML.T0085.000

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Article 10.5 - Data governance and management Article 15.5 - Cybersecurity for high-risk AI systems
ISO 42001
A.6.1.6 - Data governance and protection A.9.1 - Access control for AI systems
NIST AI RMF
GOVERN 4.2 - Organizational teams are committed to transparency MANAGE 2.2 - Mechanisms are in place to respond to and recover from risks
OWASP LLM Top 10
LLM02:2025 - Sensitive Information Disclosure LLM08:2025 - Vector and Embedding Weaknesses

Frequently Asked Questions

What is CVE-2026-44557?

Open WebUI's retrieval engine fails to validate access to the system-level `knowledge-bases` meta-collection, allowing any authenticated user to enumerate every knowledge base on the instance — including names, descriptions, and UUIDs — via a single API call. This is categorized as medium (CVSS 4.3), but it functions as a precondition multiplier: three companion vulnerabilities in the same package (KB destruction, cross-user content injection, and RAG vector search bypass) all require a valid UUID that is otherwise random and unguessable; this enumeration flaw makes those attacks trivially executable. Organizations running shared Open WebUI instances — particularly those storing internal documentation, compliance materials, or proprietary data in knowledge bases — should treat this as high-priority despite the headline score. Patch to open-webui 0.9.0 immediately; until patched, restrict retrieval API endpoints to known-safe network segments and audit logs for POST requests to `/api/v1/retrieval/query/doc` with `collection_name: knowledge-bases`.

Is CVE-2026-44557 actively exploited?

No confirmed active exploitation of CVE-2026-44557 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-44557?

1. **Patch immediately**: Upgrade to open-webui >= 0.9.0 which fixes `_validate_collection_access` to properly restrict access to the `knowledge-bases` meta-collection. 2. **Detect exploitation**: Search access logs for `POST /api/v1/retrieval/query/doc` requests where `collection_name` is `knowledge-bases` or any value not matching `user-memory-*` or `file-*` patterns — these indicate either exploitation or reconnaissance. 3. **Network segmentation**: If patching is delayed, restrict the retrieval API endpoints (`/api/v1/retrieval/query/*`) to internal networks or specific trusted principals. 4. **Audit KB contents**: Review knowledge base names and descriptions for sensitive information that should not be exposed to all authenticated users. 5. **Review companion vulnerabilities**: Assess exposure to the related KB destruction, content injection, and RAG bypass findings — patch priority should reflect their combined chain risk. 6. **Rotate or rename UUIDs**: If compromise is suspected, consider that enumerated UUIDs may already be in attacker hands; assess whether follow-on attacks have been attempted.

What systems are affected by CVE-2026-44557?

This vulnerability affects the following AI/ML architecture patterns: RAG pipelines, multi-user AI platforms, enterprise knowledge base systems, LLM-backed document retrieval, vector database deployments.

What is the CVSS score for CVE-2026-44557?

CVE-2026-44557 has a CVSS v3.1 base score of 4.3 (MEDIUM). The EPSS exploitation probability is 0.22%.

What is the AI security impact?

Affected AI Architectures

RAG pipelinesmulti-user AI platformsenterprise knowledge base systemsLLM-backed document retrievalvector database deployments

MITRE ATLAS Techniques

AML.T0012 Valid Accounts
AML.T0036 Data from Information Repositories
AML.T0049 Exploit Public-Facing Application
AML.T0064 Gather RAG-Indexed Targets
AML.T0085.000 RAG Databases

Compliance Controls Affected

EU AI Act: Article 10.5, Article 15.5
ISO 42001: A.6.1.6, A.9.1
NIST AI RMF: GOVERN 4.2, MANAGE 2.2
OWASP LLM Top 10: LLM02:2025, LLM08:2025

What are the technical details?

Original Advisory

# Global Knowledge Base Enumeration via knowledge-bases Meta-Collection ## Affected Component Retrieval collection access validation: - `backend/open_webui/routers/retrieval.py` (lines 2330-2355, `_validate_collection_access`) - `backend/open_webui/routers/retrieval.py` (query endpoints, e.g. `POST /query/doc`) ## Affected Versions Current main branch (commit `6fdd19bf1`) and likely all versions with the knowledge base subsystem. ## Description The `_validate_collection_access` function uses an incomplete allowlist that only enforces ownership checks for collections matching `user-memory-*` and `file-*` patterns. All other collection names pass through unchecked — including the system-level `knowledge-bases` meta-collection, which stores the IDs, names, and descriptions of every knowledge base on the instance. Any authenticated user can query this meta-collection directly via the retrieval query endpoints to obtain a global index of all knowledge bases across all users. ```python # retrieval.py:2330-2355 — incomplete collection allowlist def _validate_collection_access(user, collection_name, ...): if collection_name.startswith('user-memory-'): # Check user-memory ownership ... elif collection_name.startswith('file-'): # Check file access ... # Everything else (including "knowledge-bases") passes through unchecked ``` This finding is the enabler for the KB destruction (`process/web`), KB content injection (`process/file`), and RAG vector search access bypass findings — all of which require knowing a target KB's UUID. Without this enumeration, UUIDs are random and practically unguessable; with it, UUIDs across the entire instance are trivially obtained. ## CVSS 3.1 Breakdown | Metric | Value | Rationale | |--------|-------|-----------| | Attack Vector | Network (N) | Exploited remotely via API call | | Attack Complexity | Low (L) | Single API call | | Privileges Required | Low (L) | Requires any authenticated user account | | User Interaction | None (N) | No victim interaction required | | Scope | Unchanged (U) | Impact within the knowledge base boundary | | Confidentiality | Low (L) | Discloses KB metadata (IDs, names, descriptions) across all users | | Integrity | None (N) | No direct data modification | | Availability | None (N) | No denial of service | ## Attack Scenario 1. Attacker (any authenticated user) sends: ``` POST /api/v1/retrieval/query/doc { "collection_name": "knowledge-bases", "query": "confidential" } ``` 2. `_validate_collection_access` does not recognize the `knowledge-bases` prefix and lets the request pass. 3. The vector search returns the most relevant documents from the meta-collection — knowledge base records including their UUIDs, names, and descriptions — across all users on the instance. 4. Attacker varies the query to enumerate more KBs: `"project"`, `"internal"`, `"private"`, etc. 5. Attacker now has a full target list for subsequent attacks (destruction, poisoning, content extraction). ## Impact - **Information disclosure:** KB names and descriptions may reveal sensitive project names, internal initiatives, or user activities - **Enabler for other attacks:** Unlocks the following findings by supplying the required target UUIDs: - KB destruction/poisoning via `process/web` - Cross-user content injection via `process/file` - RAG vector search access bypass in `retrieval/utils.py` - Transforms these from theoretical (requires UUID guessing) to trivially exploitable (UUIDs enumerable) ## Preconditions - Attacker must have a valid user account

Exploitation Scenario

An attacker registers or compromises any low-privilege user account on a shared Open WebUI instance. They issue `POST /api/v1/retrieval/query/doc` with `collection_name: 'knowledge-bases'` and varied queries (`confidential`, `internal`, `project`, `hr`, `security`). The `_validate_collection_access` function does not recognize this collection name and passes the request through unchecked. The vector search returns matching knowledge base records — names, descriptions, and UUIDs — across all users on the instance. The attacker builds a complete inventory of all knowledge bases in minutes. They then pivot to follow-on attacks: using harvested UUIDs to destroy target KBs via the `process/web` endpoint, inject malicious content into KBs via `process/file`, or extract KB content via the RAG vector search bypass — all three of which would be practically impossible without first obtaining the UUIDs through this enumeration flaw.

Weaknesses (CWE)

CWE-200 Exposure of Sensitive Information to an Unauthorized Actor Primary CWE-862 Missing Authorization Primary

CWE-200 — Exposure of Sensitive Information to an Unauthorized Actor: The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

  • [Architecture and Design] Compartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area. Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide the appropriate time to use privileges and the time to drop privileges.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

References

Timeline

Published
May 8, 2026
Last Modified
May 8, 2026
First Seen
May 8, 2026

Related Vulnerabilities

CRITICAL CVE-2026-44551 9.1

open-webui: LDAP auth bypass — full account takeover

Same package: open-webui
HIGH CVE-2026-45672 8.8

open-webui: code exec gate bypass via API endpoint

Same package: open-webui
HIGH CVE-2026-44552 8.7

open-webui: Redis cache poisoning enables cross-instance tool hijack

Same package: open-webui
HIGH CVE-2025-64495 8.7

Open WebUI: XSS-to-RCE via malicious prompt injection

Same package: open-webui
HIGH CVE-2026-45315 8.7

open-webui: stored XSS → JWT theft and admin takeover

Same package: open-webui
Back to Threat Feed