RAG
Retrieval-Augmented Generation pairs an LLM with an external knowledge store — typically a vector database holding embeddings of documents — so the model can ground its responses in up-to-date or proprietary information. The retrieval layer creates two distinct attack surfaces. First, the index itself can be poisoned: an attacker who can write into the source documents plants malicious content that the retriever will later surface to the LLM, enabling indirect prompt injection at retrieval time. Second, the embedding pipeline and the vector store (Pinecone, Weaviate, Chroma, pgvector, Qdrant) have their own vulnerabilities — authentication bypass, query injection, and unauthorized cross-tenant retrieval. RAG is also a common vector for training-data exfiltration when retrieved context is later used to fine-tune downstream models. Defenses: provenance tagging on retrieved content, source-aware system prompts, ACL-enforced retrieval, and tenant isolation in the vector store.
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| MEDIUM | CVE-2026-44557 | open-webui: auth bypass exposes all knowledge base metadata | open-webui | 4.3 |
| HIGH | CVE-2026-44554 | open-webui: RAG poisoning via unauthorized KB overwrite | open-webui | 8.1 |
| MEDIUM | CVE-2026-44560 | open-webui: RAG auth bypass exposes private files | open-webui | 6.5 |
| MEDIUM | CVE-2026-44897 | mistune: XSS via unescaped heading id= attribute | mistune | 6.1 |
| MEDIUM | CVE-2026-44337 | PraisonAI: SQL/CQL injection in knowledge-store backends | PraisonAI | 6.3 |
| HIGH | GHSA-hmg2-jjjx-jcp2 | Flowise: missing authz on vector store CRUD endpoints | flowise | - |
| HIGH | CVE-2026-45671 | Open WebUI: auth bypass enables mass file deletion | open-webui | 8.0 |
| HIGH | CVE-2026-45402 | open-webui: auth bypass exposes any user's private files via RAG | open-webui | 8.1 |
| HIGH | CVE-2026-45401 | open-webui: SSRF redirect bypass exposes internal services | open-webui | 8.5 |
| HIGH | CVE-2026-45398 | open-webui: IDOR exposes private RAG knowledge bases | open-webui | 7.5 |
| MEDIUM | CVE-2026-45397 | Open WebUI: unauthenticated RAG config leaks AI pipeline | open-webui | 5.3 |
| CRITICAL | CVE-2026-45829 | ChromaDB: pre-auth RCE via trust_remote_code injection | chromadb | 10.0 |
| HIGH | CVE-2026-10814 | Milvus: weak hash allows RBAC grantee impersonation | milvus | 7.0 |
| HIGH | CVE-2026-46444 | Flowise: missing authz on vector store CRUD ops | flowise | 8.8 |
| HIGH | CVE-2026-46477 | Flowise: mass-assignment cross-workspace dataset takeover | flowise | 8.8 |
| HIGH | CVE-2026-46478 | Flowise: mass-assignment allows cross-workspace data takeover | flowise | 8.8 |
| HIGH | CVE-2026-45830 | ChromaDB: auth bypass exposes any tenant's collections | chromadb | 8.8 |
| HIGH | CVE-2026-45831 | ChromaDB: RBAC bypass enables cross-tenant data access | chromadb | 8.8 |
| HIGH | CVE-2026-45832 | ChromaDB: V1 auth bypass exposes all tenant collections | chromadb | 8.8 |
| HIGH | CVE-2026-45833 | ChromaDB: RCE via trust_remote_code in collection update | chromadb | 8.8 |