GHSA-6C2X-GCP3-GP73

Vulnerability from github – Published: 2026-05-08 19:51 – Updated: 2026-05-08 19:51
VLAI?
Summary
Open WebUI vulnerable to Global Knowledge Base Enumeration via knowledge-bases Meta-Collection
Details

Global Knowledge Base Enumeration via knowledge-bases Meta-Collection

Affected Component

Retrieval collection access validation: - backend/open_webui/routers/retrieval.py (lines 2330-2355, _validate_collection_access) - backend/open_webui/routers/retrieval.py (query endpoints, e.g. POST /query/doc)

Affected Versions

Current main branch (commit 6fdd19bf1) and likely all versions with the knowledge base subsystem.

Description

The _validate_collection_access function uses an incomplete allowlist that only enforces ownership checks for collections matching user-memory-* and file-* patterns. All other collection names pass through unchecked — including the system-level knowledge-bases meta-collection, which stores the IDs, names, and descriptions of every knowledge base on the instance.

Any authenticated user can query this meta-collection directly via the retrieval query endpoints to obtain a global index of all knowledge bases across all users.

# retrieval.py:2330-2355 — incomplete collection allowlist
def _validate_collection_access(user, collection_name, ...):
    if collection_name.startswith('user-memory-'):
        # Check user-memory ownership
        ...
    elif collection_name.startswith('file-'):
        # Check file access
        ...
    # Everything else (including "knowledge-bases") passes through unchecked

This finding is the enabler for the KB destruction (process/web), KB content injection (process/file), and RAG vector search access bypass findings — all of which require knowing a target KB's UUID. Without this enumeration, UUIDs are random and practically unguessable; with it, UUIDs across the entire instance are trivially obtained.

CVSS 3.1 Breakdown

Metric Value Rationale
Attack Vector Network (N) Exploited remotely via API call
Attack Complexity Low (L) Single API call
Privileges Required Low (L) Requires any authenticated user account
User Interaction None (N) No victim interaction required
Scope Unchanged (U) Impact within the knowledge base boundary
Confidentiality Low (L) Discloses KB metadata (IDs, names, descriptions) across all users
Integrity None (N) No direct data modification
Availability None (N) No denial of service

Attack Scenario

  1. Attacker (any authenticated user) sends: POST /api/v1/retrieval/query/doc { "collection_name": "knowledge-bases", "query": "confidential" }
  2. _validate_collection_access does not recognize the knowledge-bases prefix and lets the request pass.
  3. The vector search returns the most relevant documents from the meta-collection — knowledge base records including their UUIDs, names, and descriptions — across all users on the instance.
  4. Attacker varies the query to enumerate more KBs: "project", "internal", "private", etc.
  5. Attacker now has a full target list for subsequent attacks (destruction, poisoning, content extraction).

Impact

  • Information disclosure: KB names and descriptions may reveal sensitive project names, internal initiatives, or user activities
  • Enabler for other attacks: Unlocks the following findings by supplying the required target UUIDs:
  • KB destruction/poisoning via process/web
  • Cross-user content injection via process/file
  • RAG vector search access bypass in retrieval/utils.py
  • Transforms these from theoretical (requires UUID guessing) to trivially exploitable (UUIDs enumerable)

Preconditions

  • Attacker must have a valid user account
Severity ?
4.3 (Medium)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.8.12"
      },
      "package": {
        "ecosystem": "PyPI",
        "name": "open-webui"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.9.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-44557"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-200",
      "CWE-862"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-08T19:51:33Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "# Global Knowledge Base Enumeration via knowledge-bases Meta-Collection\n\n## Affected Component\n\nRetrieval collection access validation:\n- `backend/open_webui/routers/retrieval.py` (lines 2330-2355, `_validate_collection_access`)\n- `backend/open_webui/routers/retrieval.py` (query endpoints, e.g. `POST /query/doc`)\n\n## Affected Versions\n\nCurrent main branch (commit `6fdd19bf1`) and likely all versions with the knowledge base subsystem.\n\n## Description\n\nThe `_validate_collection_access` function uses an incomplete allowlist that only enforces ownership checks for collections matching `user-memory-*` and `file-*` patterns. All other collection names pass through unchecked \u2014 including the system-level `knowledge-bases` meta-collection, which stores the IDs, names, and descriptions of every knowledge base on the instance.\n\nAny authenticated user can query this meta-collection directly via the retrieval query endpoints to obtain a global index of all knowledge bases across all users.\n\n```python\n# retrieval.py:2330-2355 \u2014 incomplete collection allowlist\ndef _validate_collection_access(user, collection_name, ...):\n    if collection_name.startswith(\u0027user-memory-\u0027):\n        # Check user-memory ownership\n        ...\n    elif collection_name.startswith(\u0027file-\u0027):\n        # Check file access\n        ...\n    # Everything else (including \"knowledge-bases\") passes through unchecked\n```\n\nThis finding is the enabler for the KB destruction (`process/web`), KB content injection (`process/file`), and RAG vector search access bypass findings \u2014 all of which require knowing a target KB\u0027s UUID. Without this enumeration, UUIDs are random and practically unguessable; with it, UUIDs across the entire instance are trivially obtained.\n\n## CVSS 3.1 Breakdown\n\n| Metric | Value | Rationale |\n|--------|-------|-----------|\n| Attack Vector | Network (N) | Exploited remotely via API call |\n| Attack Complexity | Low (L) | Single API call |\n| Privileges Required | Low (L) | Requires any authenticated user account |\n| User Interaction | None (N) | No victim interaction required |\n| Scope | Unchanged (U) | Impact within the knowledge base boundary |\n| Confidentiality | Low (L) | Discloses KB metadata (IDs, names, descriptions) across all users |\n| Integrity | None (N) | No direct data modification |\n| Availability | None (N) | No denial of service |\n\n## Attack Scenario\n\n1. Attacker (any authenticated user) sends:\n   ```\n   POST /api/v1/retrieval/query/doc\n   {\n     \"collection_name\": \"knowledge-bases\",\n     \"query\": \"confidential\"\n   }\n   ```\n2. `_validate_collection_access` does not recognize the `knowledge-bases` prefix and lets the request pass.\n3. The vector search returns the most relevant documents from the meta-collection \u2014 knowledge base records including their UUIDs, names, and descriptions \u2014 across all users on the instance.\n4. Attacker varies the query to enumerate more KBs: `\"project\"`, `\"internal\"`, `\"private\"`, etc.\n5. Attacker now has a full target list for subsequent attacks (destruction, poisoning, content extraction).\n\n## Impact\n\n- **Information disclosure:** KB names and descriptions may reveal sensitive project names, internal initiatives, or user activities\n- **Enabler for other attacks:** Unlocks the following findings by supplying the required target UUIDs:\n  - KB destruction/poisoning via `process/web`\n  - Cross-user content injection via `process/file`\n  - RAG vector search access bypass in `retrieval/utils.py`\n- Transforms these from theoretical (requires UUID guessing) to trivially exploitable (UUIDs enumerable)\n\n## Preconditions\n\n- Attacker must have a valid user account",
  "id": "GHSA-6c2x-gcp3-gp73",
  "modified": "2026-05-08T19:51:33Z",
  "published": "2026-05-08T19:51:33Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-6c2x-gcp3-gp73"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/open-webui/open-webui"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Open WebUI vulnerable to Global Knowledge Base Enumeration via knowledge-bases Meta-Collection"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.