CVE-2026-44557 Overview
CVE-2026-44557 is a broken access control vulnerability [CWE-863] in Open WebUI, a self-hosted artificial intelligence platform. The flaw exists in the _validate_collection_access function, which uses an incomplete allowlist to enforce ownership checks. Only collections matching user-memory-* and file-* patterns receive authorization validation. All other collection names, including the system-level knowledge-bases meta-collection, pass through unchecked. Any authenticated user can query this meta-collection through the retrieval query endpoints to enumerate every knowledge base on the instance. The issue is fixed in version 0.9.0.
Critical Impact
Authenticated users can retrieve a global index containing the IDs, names, and descriptions of every knowledge base across all tenants on the Open WebUI instance.
Affected Products
- Open WebUI versions prior to 0.9.0
- Self-hosted Open WebUI deployments with multi-user authentication enabled
- Instances exposing retrieval query endpoints to authenticated users
Discovery Timeline
- 2026-05-15 - CVE-2026-44557 published to NVD
- 2026-05-19 - Last updated in NVD database
Technical Details for CVE-2026-44557
Vulnerability Analysis
The vulnerability resides in the _validate_collection_access function within Open WebUI's retrieval subsystem. This function gates access to vector collections used by the platform's retrieval-augmented generation (RAG) features. Instead of enforcing a default-deny policy, the function implements a pattern-based allowlist that only checks ownership for collection names matching user-memory-* and file-*.
Collections outside this allowlist receive no authorization check. The knowledge-bases meta-collection is one such unchecked target. This collection stores metadata for every knowledge base on the instance, including identifiers, names, and descriptions. An authenticated user can issue a retrieval query against knowledge-bases and receive a complete inventory of organizational knowledge resources that should be partitioned by user or workspace.
The disclosed data does not include the underlying documents stored in each knowledge base. However, the leaked metadata can reveal sensitive project names, internal initiatives, and descriptive context that aid follow-on attacks.
Root Cause
The root cause is an improper authorization design [CWE-863]. The validation logic uses an allowlist of patterns that require ownership checks, rather than denying access by default and explicitly permitting authorized collections. System-level collections were never added to the enforcement path, leaving them silently accessible to any authenticated principal.
Attack Vector
Exploitation requires network access to the Open WebUI instance and a valid authenticated session. The attacker submits a retrieval query naming the knowledge-bases meta-collection. The server returns the collection contents without verifying that the caller owns or has been granted access to the targeted knowledge bases. No user interaction beyond standard authentication is required, and complexity is low.
Detection Methods for CVE-2026-44557
Indicators of Compromise
- Retrieval query requests referencing the knowledge-bases collection name from non-administrative user accounts
- Anomalous enumeration patterns where a single authenticated session queries multiple non-owned collections in sequence
- Application logs showing successful responses to _validate_collection_access calls for system-level collection identifiers
Detection Strategies
- Inspect Open WebUI application and reverse proxy logs for query endpoint requests containing the knowledge-bases literal
- Correlate authenticated user IDs with the collection names they query and flag access to collections outside user-memory-* and file-* namespaces
- Baseline normal retrieval API call volumes per user and alert on sudden spikes that indicate enumeration
Monitoring Recommendations
- Forward Open WebUI access logs to a centralized log platform with retention sufficient for incident review
- Add alerting rules for any retrieval query that targets meta-collections or system-reserved collection prefixes
- Track installed Open WebUI versions across the environment to confirm patched deployments
How to Mitigate CVE-2026-44557
Immediate Actions Required
- Upgrade Open WebUI to version 0.9.0 or later, which corrects the _validate_collection_access enforcement logic
- Audit existing Open WebUI instances for unauthorized queries against the knowledge-bases collection
- Review knowledge base names and descriptions for sensitive content that may have been exposed and rotate or rename where appropriate
Patch Information
The maintainers fixed the vulnerability in Open WebUI 0.9.0. The patch extends the authorization checks to cover system-level collections, including the knowledge-bases meta-collection. Refer to the GitHub Security Advisory GHSA-6c2x-gcp3-gp73 for the official advisory and remediation guidance.
Workarounds
- Restrict Open WebUI access to trusted users only until the upgrade is applied, using network controls or single sign-on policies
- Disable retrieval query endpoints for non-administrative roles where feature flags or reverse proxy rules allow
- Place an authenticating reverse proxy in front of Open WebUI to block requests whose payload references reserved collection names such as knowledge-bases
# Example NGINX rule blocking requests that reference the knowledge-bases meta-collection
location /api/v1/retrieval/query {
if ($request_body ~* "knowledge-bases") {
return 403;
}
proxy_pass http://open-webui-backend;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
