AI Threat Alert

CVE-2026-44560: open-webui: RAG auth bypass exposes private files

GHSA-h36f-rqpx-j5wx MEDIUM
Published May 8, 2026
CISO Take

Open WebUI's RAG pipeline skips authorization checks on three of five code paths in its source resolution function, letting any authenticated user query private files and knowledge bases they no longer have access to — simply by referencing the predictable collection name format (`file-<id>`) in a single chat completion API call. For enterprises running Open WebUI as an internal document assistant, this means access revocation is completely broken: removed users retain indefinite read access to every file they ever encountered through the system. There is no public exploit and this is not in CISA KEV, but the attack requires only a valid account and trivially guessable resource IDs — CVSS scores exploitation complexity as Low with no user interaction required. Upgrade to open-webui 0.9.0 immediately; until then, restrict `/api/chat/completions` to fully trusted users via network policy and treat any previously shared files as potentially compromised.

Sources: GitHub Advisory NVD ATLAS

What is the risk?

CVSS 6.5 (Medium) understates operational risk for AI deployments. The critical factor is that access revocation — a fundamental security control — is rendered completely ineffective at the RAG layer. Any authenticated user who ever accessed a file can extract its full vector-store content indefinitely post-revocation. Collection name formats (`file-<uuid>`, knowledge base UUIDs) are predictable and obtainable through prior legitimate interactions. The attack surface is every API-accessible Open WebUI instance hosting private documents. With 52 prior CVEs in the same package, this is a component with a weak security track record.

How does the attack unfold?

Initial Access
Attacker authenticates with a valid (possibly low-privilege) Open WebUI user account, which is a prerequisite for calling the chat completion API.
AML.T0012
Target Identification
Attacker collects file IDs or knowledge base UUIDs from prior legitimate interactions (shared conversations, visible file listings) to identify private resources they no longer have authorization to access.
AML.T0064
Authorization Bypass
Attacker sends a crafted POST to `/api/chat/completions` referencing the revoked file ID or knowledge base UUID via the unprotected code path; no authorization check is performed and the vector store is queried directly.
AML.T0049
Data Exfiltration
Private document chunks are injected into the LLM context and returned in the model's response, allowing the attacker to systematically extract full file or knowledge base content through targeted questions.
AML.T0085.000

What systems are affected?

Package Ecosystem Vulnerable Range Patched
Open WebUI pip <= 0.8.12 0.9.0
142.4K Pushed 5d ago 77% patched ~5d to patch Full package profile →

Do you use Open WebUI? You're affected.

How severe is it?

CVSS 3.1
6.5 / 10
EPSS
0.4%
chance of exploitation in 30 days
Higher than 28% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
No known exploitation
Sophistication
Trivial

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR Low
UI None
S Unchanged
C High
I None
A None

What should I do?

5 steps

  1. Patch immediately

    Upgrade to open-webui 0.9.0, which adds authorization checks to all five code paths in get_sources_from_items.

  2. Network-level workaround

    If upgrade is blocked, restrict access to the /api/chat/completions endpoint to explicitly trusted users or internal network segments.

  3. Audit prior access

    Enumerate all users who had access to sensitive files or knowledge bases and treat their access as persistent until the patch is applied.

  4. Review vector store

    Audit what has been embedded into the vector store; documents cannot be un-embedded retroactively by revoking file permissions alone.

  5. Monitor for abuse

    Alert on API calls referencing files or collection names from users whose access was revoked — the mismatch between access logs and file permissions is detectable post-hoc.

What does CISA's SSVC say?

Decision Track
Exploitation none
Automatable No
Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Auth Bypass Data Extraction Privacy Violation RAG API Framework AML.T0012 AML.T0040 AML.T0049 AML.T0064 AML.T0085.000

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Article 9 - Risk Management System
ISO 42001
A.6.2.3 - AI system access control A.7.3 - Data for development and production
NIST AI RMF
GOVERN 6.1 - Policies and procedures are in place for AI risk
OWASP LLM Top 10
LLM02 - Sensitive Information Disclosure LLM08 - Vector and Embedding Weaknesses

Frequently Asked Questions

What is CVE-2026-44560?

Open WebUI's RAG pipeline skips authorization checks on three of five code paths in its source resolution function, letting any authenticated user query private files and knowledge bases they no longer have access to — simply by referencing the predictable collection name format (`file-<id>`) in a single chat completion API call. For enterprises running Open WebUI as an internal document assistant, this means access revocation is completely broken: removed users retain indefinite read access to every file they ever encountered through the system. There is no public exploit and this is not in CISA KEV, but the attack requires only a valid account and trivially guessable resource IDs — CVSS scores exploitation complexity as Low with no user interaction required. Upgrade to open-webui 0.9.0 immediately; until then, restrict `/api/chat/completions` to fully trusted users via network policy and treat any previously shared files as potentially compromised.

Is CVE-2026-44560 actively exploited?

No confirmed active exploitation of CVE-2026-44560 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-44560?

1. **Patch immediately**: Upgrade to open-webui 0.9.0, which adds authorization checks to all five code paths in `get_sources_from_items`. 2. **Network-level workaround**: If upgrade is blocked, restrict access to the `/api/chat/completions` endpoint to explicitly trusted users or internal network segments. 3. **Audit prior access**: Enumerate all users who had access to sensitive files or knowledge bases and treat their access as persistent until the patch is applied. 4. **Review vector store**: Audit what has been embedded into the vector store; documents cannot be un-embedded retroactively by revoking file permissions alone. 5. **Monitor for abuse**: Alert on API calls referencing files or collection names from users whose access was revoked — the mismatch between access logs and file permissions is detectable post-hoc.

What systems are affected by CVE-2026-44560?

This vulnerability affects the following AI/ML architecture patterns: RAG pipelines, Enterprise document management systems, Private knowledge base deployments, AI chat assistants with document grounding, Multi-user LLM platforms.

What is the CVSS score for CVE-2026-44560?

CVE-2026-44560 has a CVSS v3.1 base score of 6.5 (MEDIUM). The EPSS exploitation probability is 0.37%.

What is the AI security impact?

Affected AI Architectures

RAG pipelinesEnterprise document management systemsPrivate knowledge base deploymentsAI chat assistants with document groundingMulti-user LLM platforms

MITRE ATLAS Techniques

AML.T0012 Valid Accounts
AML.T0040 AI Model Inference API Access
AML.T0049 Exploit Public-Facing Application
AML.T0064 Gather RAG-Indexed Targets
AML.T0085.000 RAG Databases

Compliance Controls Affected

EU AI Act: Article 9
ISO 42001: A.6.2.3, A.7.3
NIST AI RMF: GOVERN 6.1
OWASP LLM Top 10: LLM02, LLM08

What are the technical details?

Original Advisory

# Unauthorized File and Knowledge Base Content Access via RAG Vector Search ## Affected Component RAG source resolution in chat completion pipeline: - `backend/open_webui/retrieval/utils.py` (lines 963-965, 1063-1068, 1126-1131 in `get_sources_from_items`) ## Affected Versions Current main branch (commit `6fdd19bf1`) and likely all versions with RAG functionality. ## Description The `get_sources_from_items` function resolves file and knowledge base references into vector search queries during chat completion. Three of the five code paths perform vector store queries without any authorization check, allowing users to extract content from files and knowledge bases they do not have access to. | Path | Lines | Access Check | |------|-------|-------------| | `type: "file"`, full-context | 1044-1050 | ✅ `has_access_to_file` | | `type: "file"`, non-full-context (default) | 1063-1068 | ❌ None | | `type: "collection"` | 1070-1118 | ✅ Present | | `type: "text"` with `collection_name` | 963-965 | ❌ None | | Bare `collection_name`/`collection_names` | 1126-1131 | ❌ None | The three unprotected paths pass user-supplied collection names directly to `query_collection()`, which queries the vector store without any authorization. Collection names follow predictable formats: `file-<file_id>` for files and the knowledge base UUID for knowledge bases. ## CVSS 3.1 Breakdown | Metric | Value | Rationale | |--------|-------|-----------| | Attack Vector | Network (N) | Exploited remotely via chat completion API | | Attack Complexity | Low (L) | Single API call with a known resource ID | | Privileges Required | Low (L) | Requires a valid user account | | User Interaction | None (N) | No victim interaction required | | Scope | Unchanged (U) | Impact within the application's data boundary | | Confidentiality | High (H) | Full content of private files/knowledge bases extractable | | Integrity | None (N) | No data modification | | Availability | None (N) | No denial of service | ## Attack Scenario 1. User A uploads a private document and uses it in RAG (the document is embedded into the vector store as collection `file-<file_id>`). 2. User A shares a chat or model referencing the file with User B, or User B otherwise obtains the file ID through a legitimate interaction. 3. User A later revokes User B's access to the file. 4. User B sends a chat completion request referencing the revoked file: ```json POST /api/chat/completions { "model": "any-accessible-model", "messages": [{"role": "user", "content": "What does this document say about pricing?"}], "files": [{"type": "file", "id": "<revoked_file_id>"}] } ``` 5. The non-full-context path (default) constructs collection name `file-<id>` and queries the vector store with no access check. 6. Matching chunks are injected into the LLM context, and the response contains the victim's private file content. The same attack works via `{"type": "text", "collection_name": "<knowledge_base_id>"}` for knowledge bases. ## Impact - Access revocation is ineffective for RAG content — users who previously had access can continue extracting file and knowledge base content indefinitely - Private document content can be systematically extracted through targeted queries - Breaks the access control model for files and knowledge bases at the RAG layer ## Preconditions - Attacker must know the file ID or knowledge base ID (UUID) of the target resource - The target file/knowledge base must have been processed into the vector store - Attacker must have a valid user account

Exploitation Scenario

A contractor is granted access to a confidential pricing document uploaded to an Open WebUI knowledge base. The document is processed and embedded into the vector store as `file-<uuid>`. After the engagement ends, the administrator revokes the contractor's file access. The contractor still has a valid user account. They send `POST /api/chat/completions` with `{"files": [{"type": "file", "id": "<revoked_uuid>"}], "messages": [{"role": "user", "content": "List all pricing tiers and margins"}]}`. The non-full-context path constructs the collection name and queries the vector store without any authorization check. Relevant chunks are injected into the LLM context and the model responds with the private pricing data verbatim. The same works against knowledge bases via `{"type": "text", "collection_name": "<kb_uuid>"}` for bulk exfiltration across an entire knowledge base.

Weaknesses (CWE)

CWE-862 Missing Authorization Primary

CWE-862 — Missing Authorization: The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

  • [Architecture and Design] Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries. Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
  • [Architecture and Design] Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

References

Timeline

Published
May 8, 2026
Last Modified
May 8, 2026
First Seen
May 9, 2026

Related Vulnerabilities

CRITICAL CVE-2026-44551 9.1

open-webui: LDAP auth bypass — full account takeover

Same package: open-webui
HIGH CVE-2026-45672 8.8

open-webui: code exec gate bypass via API endpoint

Same package: open-webui
HIGH CVE-2026-44552 8.7

open-webui: Redis cache poisoning enables cross-instance tool hijack

Same package: open-webui
HIGH CVE-2025-64495 8.7

Open WebUI: XSS-to-RCE via malicious prompt injection

Same package: open-webui
HIGH CVE-2026-45315 8.7

open-webui: stored XSS → JWT theft and admin takeover

Same package: open-webui
Back to Threat Feed