CVE-2026-29071 Overview
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. A vulnerability exists in versions prior to 0.8.6 that allows any authenticated user to read other users' private memories via the /api/v1/retrieval/query/collection endpoint. This represents an Insecure Direct Object Reference (IDOR) vulnerability where proper authorization checks are missing on API endpoints that handle sensitive user data.
Critical Impact
Authenticated attackers can access private memory data belonging to other users, potentially exposing sensitive AI conversation histories, personal notes, and confidential information stored within the platform.
Affected Products
- Open WebUI versions prior to 0.8.6
- openwebui open_webui (all platforms)
Discovery Timeline
- 2026-03-27 - CVE-2026-29071 published to NVD
- 2026-04-01 - Last updated in NVD database
Technical Details for CVE-2026-29071
Vulnerability Analysis
This vulnerability is classified as CWE-639 (Authorization Bypass Through User-Controlled Key), commonly known as an Insecure Direct Object Reference (IDOR). The flaw exists in the retrieval API endpoint that handles queries to memory collections. The endpoint fails to properly validate that the requesting user has authorization to access the specified memory collection, allowing any authenticated user to query and retrieve private memories belonging to other users.
The vulnerability is exploitable over the network and requires low-privilege authenticated access. While user interaction is not required for exploitation, the impact is limited to confidentiality breaches without affecting system integrity or availability.
Root Cause
The root cause is insufficient authorization validation in the /api/v1/retrieval/query/collection endpoint. When processing requests, the application fails to verify that the authenticated user owns or has permission to access the requested memory collection. This allows attackers to enumerate and access arbitrary user memory collections by manipulating the collection identifier in API requests.
Attack Vector
The attack vector involves an authenticated user sending crafted API requests to the vulnerable endpoint. By manipulating the collection parameter in requests to /api/v1/retrieval/query/collection, an attacker can access private memories stored by other users. The attack requires network access to the Open WebUI instance and valid authentication credentials (even low-privilege accounts are sufficient).
The vulnerability allows attackers to query the retrieval API with arbitrary collection identifiers. When the application processes these requests, it returns memory data without validating ownership, effectively bypassing the intended access controls. For detailed technical information, refer to the GitHub Security Advisory.
Detection Methods for CVE-2026-29071
Indicators of Compromise
- Unusual API request patterns to /api/v1/retrieval/query/collection endpoint from authenticated users
- Access logs showing users querying memory collections they do not own
- Anomalous spikes in retrieval API usage from individual user accounts
- Cross-user collection access patterns visible in application logs
Detection Strategies
- Monitor API access logs for requests to /api/v1/retrieval/query/collection with collection IDs not belonging to the authenticated user
- Implement alerting on multiple failed or unusual collection access attempts from single user sessions
- Review authentication logs for accounts making suspicious bulk queries to the retrieval API
- Deploy web application firewalls (WAF) with rules to detect IDOR attack patterns
Monitoring Recommendations
- Enable detailed logging on the retrieval API endpoint including collection IDs and requesting user identities
- Configure SIEM rules to correlate user authentication events with collection access patterns
- Establish baseline metrics for normal retrieval API usage per user to identify anomalous behavior
- Implement real-time alerting for cross-account data access attempts
How to Mitigate CVE-2026-29071
Immediate Actions Required
- Upgrade Open WebUI to version 0.8.6 or later immediately
- Audit access logs to identify any potential exploitation of this vulnerability prior to patching
- Review user accounts for signs of unauthorized data access
- Consider temporarily restricting access to the affected API endpoint until patching is complete
Patch Information
The vulnerability is patched in Open WebUI version 0.8.6. Organizations should upgrade to this version or later to remediate the vulnerability. For detailed patch information and release notes, see the GitHub Security Advisory.
Workarounds
- Implement network-level access controls to restrict API access to trusted users only
- Deploy a reverse proxy with additional authorization checks on the vulnerable endpoint
- Consider temporarily disabling the retrieval API functionality if not critical to operations
- Limit user registration and access to reduce the attack surface until patching is complete
# Example: Upgrade Open WebUI using pip
pip install --upgrade open-webui>=0.8.6
# Verify installed version
pip show open-webui | grep Version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
