CVE-2026-45397 Overview
CVE-2026-45397 is an information disclosure vulnerability in Open WebUI, a self-hosted artificial intelligence platform designed to operate entirely offline. The GET /api/v1/retrieval/ endpoint returns the live Retrieval-Augmented Generation (RAG) pipeline configuration to any unauthenticated HTTP client. The endpoint requires no Authorization header, cookie, or API key to access. Adjacent endpoints on the same router, including /embedding and /config, are correctly protected by the get_admin_user dependency, making this a targeted authentication omission. The issue is fixed in Open WebUI version 0.9.5 and is classified under [CWE-306: Missing Authentication for Critical Function].
Critical Impact
Unauthenticated remote attackers can retrieve live RAG pipeline configuration data from exposed Open WebUI instances prior to version 0.9.5.
Affected Products
- Open WebUI versions prior to 0.9.5
- Self-hosted Open WebUI deployments exposing the /api/v1/retrieval/ endpoint
- Open WebUI instances reachable over the network without upstream authentication controls
Discovery Timeline
- 2026-05-15 - CVE-2026-45397 published to NVD
- 2026-05-19 - Last updated in NVD database
Technical Details for CVE-2026-45397
Vulnerability Analysis
The vulnerability resides in the retrieval router of Open WebUI. The GET /api/v1/retrieval/ route handler omits the FastAPI dependency that enforces administrator authentication. Sibling endpoints on the same router, such as /api/v1/retrieval/embedding and /api/v1/retrieval/config, correctly declare Depends(get_admin_user). The missing dependency on the index route allows any network client to read the active RAG pipeline configuration.
The disclosed configuration includes parameters that describe how the platform processes documents and queries internal knowledge sources. Attackers can use this information to map the deployment, identify embedding models in use, and plan follow-on attacks against the AI workload. The CWE-306 classification reflects the absence of authentication on a function that handles sensitive configuration data.
Root Cause
The root cause is a missing authentication dependency on a single FastAPI route. The pattern of consistent protection across neighboring endpoints indicates a developer oversight rather than a design decision. Because Open WebUI relies on per-route dependencies for access control, an omitted decorator produces an immediate authentication bypass for that path.
Attack Vector
Exploitation requires only network reachability to the Open WebUI HTTP service. An attacker sends an unauthenticated GET request to /api/v1/retrieval/ and receives the configuration payload in the response body. No user interaction, credentials, or prior access are required. Internet-exposed instances and instances reachable from untrusted internal networks are at risk.
No verified public exploit code is available for this issue. See the GitHub Security Advisory GHSA-65pg-qhhw-mxwg for vendor technical details.
Detection Methods for CVE-2026-45397
Indicators of Compromise
- Unauthenticated GET requests to /api/v1/retrieval/ in Open WebUI access logs
- Successful HTTP 200 responses to /api/v1/retrieval/ from clients without session cookies or bearer tokens
- Scanning patterns enumerating /api/v1/retrieval/* paths from a single source IP
Detection Strategies
- Inspect reverse proxy and application logs for requests to /api/v1/retrieval/ lacking an Authorization header or authenticated session cookie
- Compare request volume to the retrieval endpoint against baseline administrator activity to identify anomalies
- Alert on requests to /api/v1/retrieval/ originating from IP ranges outside expected administrator networks
Monitoring Recommendations
- Forward Open WebUI HTTP access logs to a central log platform and retain at least 90 days of history
- Track the running Open WebUI version across deployments and alert on instances below 0.9.5
- Monitor egress from Open WebUI hosts for unexpected connections that may indicate post-disclosure follow-on activity
How to Mitigate CVE-2026-45397
Immediate Actions Required
- Upgrade Open WebUI to version 0.9.5 or later on all self-hosted deployments
- Restrict network access to Open WebUI so the HTTP service is not reachable from untrusted networks
- Rotate any secrets, API keys, or embedding service credentials that may have been referenced in the exposed RAG configuration
- Review access logs for prior unauthenticated requests to /api/v1/retrieval/
Patch Information
The vendor fixed the issue in Open WebUI 0.9.5 by adding the get_admin_user authentication dependency to the affected retrieval route. Administrators should apply the upgrade by following the official release instructions referenced in the GitHub Security Advisory GHSA-65pg-qhhw-mxwg.
Workarounds
- Place Open WebUI behind a reverse proxy that enforces authentication on /api/v1/retrieval/ until the upgrade is applied
- Block external access to /api/v1/retrieval/ at the network or web application firewall layer
- Limit Open WebUI exposure to a VPN or zero-trust access gateway
# Example NGINX block for /api/v1/retrieval/ pending upgrade to 0.9.5
location = /api/v1/retrieval/ {
deny all;
return 403;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
