CVE-2026-45397 — MEDIUM (CVSS 5.3)

Q: Is CVE-2026-45397 actively exploited?

No confirmed active exploitation of CVE-2026-45397 has been reported, but organizations should still patch proactively.

Q: How to fix CVE-2026-45397?

1. Patch immediately: upgrade to open-webui v0.9.5, which adds proper authentication dependency to GET /api/v1/retrieval/. 2. Reverse proxy mitigation if patching is delayed: add a rule returning 401 for unauthenticated requests to /api/v1/retrieval/ at nginx, Caddy, or Traefik level. 3. Detection: audit web server access logs for GET /api/v1/retrieval/ requests lacking Authorization headers — unexpected hits indicate active reconnaissance. 4. Post-exposure response: if the endpoint was internet-reachable, assume RAG configuration is known to adversaries; rotate RAG templates containing sensitive instructions and consider modifying chunk parameters to invalidate pre-computed poisoning payloads. 5. Defense in depth: restrict Open WebUI to internal networks or VPN; avoid direct internet exposure regardless of patch status given the package's 91-CVE history.

Q: What systems are affected by CVE-2026-45397?

This vulnerability affects the following AI/ML architecture patterns: RAG pipelines, Enterprise AI assistants, Document Q&A systems, ML UI platforms.

Q: What is the CVSS score for CVE-2026-45397?

CVE-2026-45397 has a CVSS v3.1 base score of 5.3 (MEDIUM).

CISO Take

Open WebUI's GET /api/v1/retrieval/ endpoint exposes the complete RAG pipeline configuration — embedding engine, model identifiers, reranking model, chunking parameters, and the full RAG prompt template — to any unauthenticated internet client with a single HTTP request. While the CVE is not in CISA KEV and EPSS data is not yet available for this freshly disclosed vulnerability, exploitation requires zero skill or tooling: one curl command returns the complete AI stack fingerprint with no credentials, no brute force, and no rate-limit concern. The chunk parameter disclosure is particularly dangerous because it enables adversaries to engineer RAG poisoning payloads with mathematically precise retrieval boundaries, eliminating the guesswork that limits most RAG attacks and making this a meaningful force multiplier against Open WebUI-based enterprise AI assistants. Upgrade to open-webui v0.9.5 immediately; if patching is delayed, block unauthenticated requests to /api/v1/retrieval/ at the reverse proxy layer and audit access logs for unauthorized hits.

Sources: GitHub Advisory NVD ATLAS

What is the risk?

Medium CVSS (5.3) understates operational risk for AI-first deployments. Exploitation is trivial — no credentials, no specialized tooling, reachable from any IP via a single HTTP GET. The vulnerability compounds into a RAG poisoning enabler: chunk parameter disclosure eliminates the guesswork that constrains most RAG attacks, making it a meaningful force multiplier for adversaries targeting Open WebUI-backed enterprise knowledge systems. With 91 prior CVEs in this package and a package risk score of 38/100, Open WebUI represents a consistently high-risk surface that security teams should treat with elevated scrutiny regardless of individual CVE severity ratings.

Attack Kill Chain

Reconnaissance

Adversary uses internet scanners (Shodan, Censys) or automated probes to enumerate internet-facing Open WebUI instances by service fingerprint or banner.

AML.T0006

Config Extraction

Single unauthenticated GET to /api/v1/retrieval/ returns full RAG configuration including embedding model, chunk parameters, and RAG prompt template with no credentials required.

AML.T0049

RAG Targeting

Adversary uses disclosed CHUNK_SIZE and CHUNK_OVERLAP to mathematically calculate exact document retrieval boundaries and replicates the named embedding model locally for payload optimization.

AML.T0064

Payload Injection

Adversary crafts poisoned documents engineered to fit precisely within disclosed chunk boundaries and injects them through available document upload vectors, contaminating the RAG knowledge base for all subsequent user queries.

AML.T0066

Reconnaissance

Adversary uses internet scanners (Shodan, Censys) or automated probes to enumerate internet-facing Open WebUI instances by service fingerprint or banner.

AML.T0006

Config Extraction

Single unauthenticated GET to /api/v1/retrieval/ returns full RAG configuration including embedding model, chunk parameters, and RAG prompt template with no credentials required.

AML.T0049

RAG Targeting

Adversary uses disclosed CHUNK_SIZE and CHUNK_OVERLAP to mathematically calculate exact document retrieval boundaries and replicates the named embedding model locally for payload optimization.

AML.T0064

Payload Injection

Adversary crafts poisoned documents engineered to fit precisely within disclosed chunk boundaries and injects them through available document upload vectors, contaminating the RAG knowledge base for all subsequent user queries.

AML.T0066

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
open-webui	pip	< 0.9.5	`0.9.5`
136.3K Pushed 5d ago 75% patched ~4d to patch Full package profile →

Do you use open-webui? You're affected.

Severity & Risk

CVSS 3.1

5.3 / 10

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Trivial

Attack Surface

AV Network

AC Low

PR None

UI None

S Unchanged

C Low

I None

A None

What should I do?

5 steps

Patch immediately: upgrade to open-webui v0.9.5, which adds proper authentication dependency to GET /api/v1/retrieval/.
Reverse proxy mitigation if patching is delayed: add a rule returning 401 for unauthenticated requests to /api/v1/retrieval/ at nginx, Caddy, or Traefik level.
Detection: audit web server access logs for GET /api/v1/retrieval/ requests lacking Authorization headers — unexpected hits indicate active reconnaissance.
Post-exposure response: if the endpoint was internet-reachable, assume RAG configuration is known to adversaries; rotate RAG templates containing sensitive instructions and consider modifying chunk parameters to invalidate pre-computed poisoning payloads.
Defense in depth: restrict Open WebUI to internal networks or VPN; avoid direct internet exposure regardless of patch status given the package's 91-CVE history.

Classification

Auth Bypass Data Extraction RAG Framework AML.T0006 - Active Scanning AML.T0014 - Discover AI Model Family AML.T0049 - Exploit Public-Facing Application AML.T0064 - Gather RAG-Indexed Targets AML.T0066 - Retrieval Content Crafting AML.T0069.002 - System Prompt

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 9 - Risk management system

ISO 42001

A.8.4 - AI system security

NIST AI RMF

MEASURE 2.5 - AI system security testing

OWASP LLM Top 10

LLM02:2025 - Sensitive Information Disclosure LLM07:2025 - System Prompt Leakage

Frequently Asked Questions

What is CVE-2026-45397?

Open WebUI's GET /api/v1/retrieval/ endpoint exposes the complete RAG pipeline configuration — embedding engine, model identifiers, reranking model, chunking parameters, and the full RAG prompt template — to any unauthenticated internet client with a single HTTP request. While the CVE is not in CISA KEV and EPSS data is not yet available for this freshly disclosed vulnerability, exploitation requires zero skill or tooling: one curl command returns the complete AI stack fingerprint with no credentials, no brute force, and no rate-limit concern. The chunk parameter disclosure is particularly dangerous because it enables adversaries to engineer RAG poisoning payloads with mathematically precise retrieval boundaries, eliminating the guesswork that limits most RAG attacks and making this a meaningful force multiplier against Open WebUI-based enterprise AI assistants. Upgrade to open-webui v0.9.5 immediately; if patching is delayed, block unauthenticated requests to /api/v1/retrieval/ at the reverse proxy layer and audit access logs for unauthorized hits.

Is CVE-2026-45397 actively exploited?

No confirmed active exploitation of CVE-2026-45397 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-45397?

1. Patch immediately: upgrade to open-webui v0.9.5, which adds proper authentication dependency to GET /api/v1/retrieval/. 2. Reverse proxy mitigation if patching is delayed: add a rule returning 401 for unauthenticated requests to /api/v1/retrieval/ at nginx, Caddy, or Traefik level. 3. Detection: audit web server access logs for GET /api/v1/retrieval/ requests lacking Authorization headers — unexpected hits indicate active reconnaissance. 4. Post-exposure response: if the endpoint was internet-reachable, assume RAG configuration is known to adversaries; rotate RAG templates containing sensitive instructions and consider modifying chunk parameters to invalidate pre-computed poisoning payloads. 5. Defense in depth: restrict Open WebUI to internal networks or VPN; avoid direct internet exposure regardless of patch status given the package's 91-CVE history.

What systems are affected by CVE-2026-45397?

This vulnerability affects the following AI/ML architecture patterns: RAG pipelines, Enterprise AI assistants, Document Q&A systems, ML UI platforms.

What is the CVSS score for CVE-2026-45397?

CVE-2026-45397 has a CVSS v3.1 base score of 5.3 (MEDIUM).

Technical Details

NVD Description

**Vulnerability Type:** Information Disclosure / Missing Authentication **Severity:** Medium **Component:** `backend/open_webui/routers/retrieval.py` — `get_status()` (`GET /`) **Affected Endpoint:** `GET /api/v1/retrieval/` **Affected Version:** Open WebUI `main` branch — confirmed unpatched through **v0.9.2** **Authentication Required:** None — internet-facing with zero credentials **CVSSv3.1 Score:** 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) --- ## Summary `GET /api/v1/retrieval/` returns live RAG pipeline configuration to any unauthenticated HTTP client. No `Authorization` header, cookie, or API key is required. Every adjacent endpoint on the same router (`/embedding`, `/config`) is correctly guarded by `get_admin_user` making this a targeted omission. --- ## Root Cause `backend/open_webui/routers/retrieval.py:262` ```python @router.get('/') async def get_status(request: Request): # ← no Depends(get_verified_user) return { 'status': True, 'CHUNK_SIZE': request.app.state.config.CHUNK_SIZE, 'CHUNK_OVERLAP': request.app.state.config.CHUNK_OVERLAP, 'RAG_TEMPLATE': request.app.state.config.RAG_TEMPLATE, 'RAG_EMBEDDING_ENGINE': request.app.state.config.RAG_EMBEDDING_ENGINE, 'RAG_EMBEDDING_MODEL': request.app.state.config.RAG_EMBEDDING_MODEL, 'RAG_RERANKING_MODEL': request.app.state.config.RAG_RERANKING_MODEL, 'RAG_EMBEDDING_BATCH_SIZE': request.app.state.config.RAG_EMBEDDING_BATCH_SIZE, 'ENABLE_ASYNC_EMBEDDING': request.app.state.config.ENABLE_ASYNC_EMBEDDING, 'RAG_EMBEDDING_CONCURRENT_REQUESTS': request.app.state.config.RAG_EMBEDDING_CONCURRENT_REQUESTS, } ``` Compare with every adjacent endpoint on the same router: ```python @router.get('/embedding') async def get_embedding_config(request: Request, user=Depends(get_admin_user)): # ✅ @router.get('/config') async def get_rag_config(request: Request, user=Depends(get_admin_user)): # ✅ ``` --- ## Proof Of Concept — No Token Required ```bash curl -s http://TARGET/api/v1/retrieval/ ``` ```json { "status": true, "CHUNK_SIZE": 1000, "CHUNK_OVERLAP": 100, "RAG_TEMPLATE": "### Task:\nRespond to the user query using the provided context...\n<context>\n{{CONTEXT}}\n</context>", "RAG_EMBEDDING_ENGINE": "", "RAG_EMBEDDING_MODEL": "sentence-transformers/all-MiniLM-L6-v2", "RAG_RERANKING_MODEL": "", "RAG_EMBEDDING_BATCH_SIZE": 1, "ENABLE_ASYNC_EMBEDDING": true, "RAG_EMBEDDING_CONCURRENT_REQUESTS": 0 } ``` --- ## Disclosed Information and Its Value to an Attacker | Field | What it reveals | |---|---| | `RAG_EMBEDDING_ENGINE` | Backend type (OpenAI, Ollama, Azure, etc.) | | `RAG_EMBEDDING_MODEL` | Exact model name — reveals embedding model | | `RAG_RERANKING_MODEL` | Reranker in use — reveals reranker | | `RAG_TEMPLATE` | **RAG template** — exposes the RAG template | | `CHUNK_SIZE` / `CHUNK_OVERLAP` | Chunking parameters — enables exact reconstruction of how documents are split and retrieved | --- ## Attack Scenario 1. Attacker sends one unauthenticated HTTP GET to `/api/v1/retrieval/`. 2. Response reveals the embedding model and chunking parameters. 3. Attacker uses the exact chunk size/overlap to craft RAG poisoning payloads that are guaranteed to be retrieved. --- ## Impact 1. **RAG template disclosure** 2. **Infrastructure fingerprinting** — embedding engine and model name reveal the AI stack to an internet scanner 3. **RAG attack surface mapping** — chunk parameters enable precise calculation of retrieval boundaries 4. **Zero-effort recon** — no brute force, no credentials, no rate-limit concern. Single request from any IP. --- ## Recommended Fix Add `get_verified_user` dependency (or `get_admin_user` for stricter control): ```python # BEFORE (vulnerable) @router.get('/') async def get_status(request: Request): # AFTER @router.get('/') async def get_status(request: Request, user=Depends(get_verified_user)): ```

Exploitation Scenario

An adversary conducting AI infrastructure reconnaissance uses Shodan or Censys to enumerate internet-facing Open WebUI instances by banner or service fingerprint. Against each target, they send a single unauthenticated GET to /api/v1/retrieval/ — receiving the embedding model name (e.g., sentence-transformers/all-MiniLM-L6-v2), chunk boundaries (CHUNK_SIZE: 1000, CHUNK_OVERLAP: 100), and the full RAG_TEMPLATE prompt structure in the JSON response. The adversary replicates the exact embedding model locally and uses the disclosed chunk parameters to calculate retrieval boundaries mathematically, determining precisely which document segments will be returned for a given query. They then craft poisoned documents engineered to fit precisely within those chunk boundaries — maximizing retrieval probability — and inject them through any available document upload vector: shared folders watched by the RAG pipeline, email attachments, or web form uploads. Subsequent user queries consistently surface attacker-controlled content, enabling misinformation injection or data harvesting via follow-on prompt manipulation using the known RAG_TEMPLATE structure.