CVE-2026-45397: Open WebUI: unauthenticated RAG config leaks AI pipeline
GHSA-65pg-qhhw-mxwg MEDIUM NUCLEI TEMPLATE CISA: TRACK*Open WebUI's GET /api/v1/retrieval/ endpoint exposes the complete RAG pipeline configuration — embedding engine, model identifiers, reranking model, chunking parameters, and the full RAG prompt template — to any unauthenticated internet client with a single HTTP request. While the CVE is not in CISA KEV and EPSS data is not yet available for this freshly disclosed vulnerability, exploitation requires zero skill or tooling: one curl command returns the complete AI stack fingerprint with no credentials, no brute force, and no rate-limit concern. The chunk parameter disclosure is particularly dangerous because it enables adversaries to engineer RAG poisoning payloads with mathematically precise retrieval boundaries, eliminating the guesswork that limits most RAG attacks and making this a meaningful force multiplier against Open WebUI-based enterprise AI assistants. Upgrade to open-webui v0.9.5 immediately; if patching is delayed, block unauthenticated requests to /api/v1/retrieval/ at the reverse proxy layer and audit access logs for unauthorized hits.
What is the risk?
Medium CVSS (5.3) understates operational risk for AI-first deployments. Exploitation is trivial — no credentials, no specialized tooling, reachable from any IP via a single HTTP GET. The vulnerability compounds into a RAG poisoning enabler: chunk parameter disclosure eliminates the guesswork that constrains most RAG attacks, making it a meaningful force multiplier for adversaries targeting Open WebUI-backed enterprise knowledge systems. With 91 prior CVEs in this package and a package risk score of 38/100, Open WebUI represents a consistently high-risk surface that security teams should treat with elevated scrutiny regardless of individual CVE severity ratings.
How does the attack unfold?
What systems are affected?
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| Open WebUI | pip | < 0.9.5 | 0.9.5 |
Do you use Open WebUI? You're affected.
How severe is it?
What is the attack surface?
What should I do?
5 steps-
Patch immediately: upgrade to open-webui v0.9.5, which adds proper authentication dependency to GET /api/v1/retrieval/.
-
Reverse proxy mitigation if patching is delayed: add a rule returning 401 for unauthenticated requests to /api/v1/retrieval/ at nginx, Caddy, or Traefik level.
-
Detection: audit web server access logs for GET /api/v1/retrieval/ requests lacking Authorization headers — unexpected hits indicate active reconnaissance.
-
Post-exposure response: if the endpoint was internet-reachable, assume RAG configuration is known to adversaries; rotate RAG templates containing sensitive instructions and consider modifying chunk parameters to invalidate pre-computed poisoning payloads.
-
Defense in depth: restrict Open WebUI to internal networks or VPN; avoid direct internet exposure regardless of patch status given the package's 91-CVE history.
What does CISA's SSVC say?
Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.
How is it classified?
Which compliance frameworks are affected?
This CVE is relevant to:
Frequently Asked Questions
What is CVE-2026-45397?
Open WebUI's GET /api/v1/retrieval/ endpoint exposes the complete RAG pipeline configuration — embedding engine, model identifiers, reranking model, chunking parameters, and the full RAG prompt template — to any unauthenticated internet client with a single HTTP request. While the CVE is not in CISA KEV and EPSS data is not yet available for this freshly disclosed vulnerability, exploitation requires zero skill or tooling: one curl command returns the complete AI stack fingerprint with no credentials, no brute force, and no rate-limit concern. The chunk parameter disclosure is particularly dangerous because it enables adversaries to engineer RAG poisoning payloads with mathematically precise retrieval boundaries, eliminating the guesswork that limits most RAG attacks and making this a meaningful force multiplier against Open WebUI-based enterprise AI assistants. Upgrade to open-webui v0.9.5 immediately; if patching is delayed, block unauthenticated requests to /api/v1/retrieval/ at the reverse proxy layer and audit access logs for unauthorized hits.
Is CVE-2026-45397 actively exploited?
No confirmed active exploitation of CVE-2026-45397 has been reported, but organizations should still patch proactively.
How to fix CVE-2026-45397?
1. Patch immediately: upgrade to open-webui v0.9.5, which adds proper authentication dependency to GET /api/v1/retrieval/. 2. Reverse proxy mitigation if patching is delayed: add a rule returning 401 for unauthenticated requests to /api/v1/retrieval/ at nginx, Caddy, or Traefik level. 3. Detection: audit web server access logs for GET /api/v1/retrieval/ requests lacking Authorization headers — unexpected hits indicate active reconnaissance. 4. Post-exposure response: if the endpoint was internet-reachable, assume RAG configuration is known to adversaries; rotate RAG templates containing sensitive instructions and consider modifying chunk parameters to invalidate pre-computed poisoning payloads. 5. Defense in depth: restrict Open WebUI to internal networks or VPN; avoid direct internet exposure regardless of patch status given the package's 91-CVE history.
What systems are affected by CVE-2026-45397?
This vulnerability affects the following AI/ML architecture patterns: RAG pipelines, Enterprise AI assistants, Document Q&A systems, ML UI platforms.
What is the CVSS score for CVE-2026-45397?
CVE-2026-45397 has a CVSS v3.1 base score of 5.3 (MEDIUM). The EPSS exploitation probability is 0.72%.
What is the AI security impact?
Affected AI Architectures
MITRE ATLAS Techniques
AML.T0006 Active Scanning AML.T0014 Discover AI Model Family AML.T0049 Exploit Public-Facing Application AML.T0064 Gather RAG-Indexed Targets AML.T0066 Retrieval Content Crafting AML.T0069.002 System Prompt Compliance Controls Affected
What are the technical details?
Original Advisory
**Vulnerability Type:** Information Disclosure / Missing Authentication **Severity:** Medium **Component:** `backend/open_webui/routers/retrieval.py` — `get_status()` (`GET /`) **Affected Endpoint:** `GET /api/v1/retrieval/` **Affected Version:** Open WebUI `main` branch — confirmed unpatched through **v0.9.2** **Authentication Required:** None — internet-facing with zero credentials **CVSSv3.1 Score:** 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) --- ## Summary `GET /api/v1/retrieval/` returns live RAG pipeline configuration to any unauthenticated HTTP client. No `Authorization` header, cookie, or API key is required. Every adjacent endpoint on the same router (`/embedding`, `/config`) is correctly guarded by `get_admin_user` making this a targeted omission. --- ## Root Cause `backend/open_webui/routers/retrieval.py:262` ```python @router.get('/') async def get_status(request: Request): # ← no Depends(get_verified_user) return { 'status': True, 'CHUNK_SIZE': request.app.state.config.CHUNK_SIZE, 'CHUNK_OVERLAP': request.app.state.config.CHUNK_OVERLAP, 'RAG_TEMPLATE': request.app.state.config.RAG_TEMPLATE, 'RAG_EMBEDDING_ENGINE': request.app.state.config.RAG_EMBEDDING_ENGINE, 'RAG_EMBEDDING_MODEL': request.app.state.config.RAG_EMBEDDING_MODEL, 'RAG_RERANKING_MODEL': request.app.state.config.RAG_RERANKING_MODEL, 'RAG_EMBEDDING_BATCH_SIZE': request.app.state.config.RAG_EMBEDDING_BATCH_SIZE, 'ENABLE_ASYNC_EMBEDDING': request.app.state.config.ENABLE_ASYNC_EMBEDDING, 'RAG_EMBEDDING_CONCURRENT_REQUESTS': request.app.state.config.RAG_EMBEDDING_CONCURRENT_REQUESTS, } ``` Compare with every adjacent endpoint on the same router: ```python @router.get('/embedding') async def get_embedding_config(request: Request, user=Depends(get_admin_user)): # ✅ @router.get('/config') async def get_rag_config(request: Request, user=Depends(get_admin_user)): # ✅ ``` --- ## Proof Of Concept — No Token Required ```bash curl -s http://TARGET/api/v1/retrieval/ ``` ```json { "status": true, "CHUNK_SIZE": 1000, "CHUNK_OVERLAP": 100, "RAG_TEMPLATE": "### Task:\nRespond to the user query using the provided context...\n<context>\n{{CONTEXT}}\n</context>", "RAG_EMBEDDING_ENGINE": "", "RAG_EMBEDDING_MODEL": "sentence-transformers/all-MiniLM-L6-v2", "RAG_RERANKING_MODEL": "", "RAG_EMBEDDING_BATCH_SIZE": 1, "ENABLE_ASYNC_EMBEDDING": true, "RAG_EMBEDDING_CONCURRENT_REQUESTS": 0 } ``` --- ## Disclosed Information and Its Value to an Attacker | Field | What it reveals | |---|---| | `RAG_EMBEDDING_ENGINE` | Backend type (OpenAI, Ollama, Azure, etc.) | | `RAG_EMBEDDING_MODEL` | Exact model name — reveals embedding model | | `RAG_RERANKING_MODEL` | Reranker in use — reveals reranker | | `RAG_TEMPLATE` | **RAG template** — exposes the RAG template | | `CHUNK_SIZE` / `CHUNK_OVERLAP` | Chunking parameters — enables exact reconstruction of how documents are split and retrieved | --- ## Attack Scenario 1. Attacker sends one unauthenticated HTTP GET to `/api/v1/retrieval/`. 2. Response reveals the embedding model and chunking parameters. 3. Attacker uses the exact chunk size/overlap to craft RAG poisoning payloads that are guaranteed to be retrieved. --- ## Impact 1. **RAG template disclosure** 2. **Infrastructure fingerprinting** — embedding engine and model name reveal the AI stack to an internet scanner 3. **RAG attack surface mapping** — chunk parameters enable precise calculation of retrieval boundaries 4. **Zero-effort recon** — no brute force, no credentials, no rate-limit concern. Single request from any IP. --- ## Recommended Fix Add `get_verified_user` dependency (or `get_admin_user` for stricter control): ```python # BEFORE (vulnerable) @router.get('/') async def get_status(request: Request): # AFTER @router.get('/') async def get_status(request: Request, user=Depends(get_verified_user)): ```
Exploitation Scenario
An adversary conducting AI infrastructure reconnaissance uses Shodan or Censys to enumerate internet-facing Open WebUI instances by banner or service fingerprint. Against each target, they send a single unauthenticated GET to /api/v1/retrieval/ — receiving the embedding model name (e.g., sentence-transformers/all-MiniLM-L6-v2), chunk boundaries (CHUNK_SIZE: 1000, CHUNK_OVERLAP: 100), and the full RAG_TEMPLATE prompt structure in the JSON response. The adversary replicates the exact embedding model locally and uses the disclosed chunk parameters to calculate retrieval boundaries mathematically, determining precisely which document segments will be returned for a given query. They then craft poisoned documents engineered to fit precisely within those chunk boundaries — maximizing retrieval probability — and inject them through any available document upload vector: shared folders watched by the RAG pipeline, email attachments, or web form uploads. Subsequent user queries consistently surface attacker-controlled content, enabling misinformation injection or data harvesting via follow-on prompt manipulation using the known RAG_TEMPLATE structure.
Weaknesses (CWE)
CWE-306 — Missing Authentication for Critical Function: The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.
- [Architecture and Design] Divide the software into anonymous, normal, privileged, and administrative areas. Identify which of these areas require a proven user identity, and use a centralized authentication capability. Identify all potential communication channels, or other means of interaction with the software, to ensure that all channels are appropriately protected, including those channels that are assumed to be accessible only by authorized parties. Developers sometimes perform authentication at the primary channel, but open up a secondary channel that is assumed to be private. For example, a login mechanism may be listening on one network port, but after successful authentication, it may open up a second port where it waits for the connection, but avoids authentication because it assumes that only the authenticated party will connect to the port. In general, if the software or protocol allows a single session or user state to persist across multiple connections or channels, authentication and appropriate
- [Architecture and Design] For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.
Source: MITRE CWE corpus.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N References
Timeline
Scanner Template Available
A Nuclei vulnerability scanner template exists for this CVE. You can scan your infrastructure for this vulnerability immediately.
View template on GitHubnuclei -t http/cves/2026/CVE-2026-45397.yaml -u https://target.example.com Related Vulnerabilities
CVE-2026-44551 9.1 open-webui: LDAP auth bypass — full account takeover
Same package: open-webui CVE-2026-45672 8.8 open-webui: code exec gate bypass via API endpoint
Same package: open-webui CVE-2026-44552 8.7 open-webui: Redis cache poisoning enables cross-instance tool hijack
Same package: open-webui CVE-2025-64495 8.7 Open WebUI: XSS-to-RCE via malicious prompt injection
Same package: open-webui CVE-2026-45315 8.7 open-webui: stored XSS → JWT theft and admin takeover
Same package: open-webui