CVE-2026-45398 Overview
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. CVE-2026-45398 is a broken access control vulnerability [CWE-639] in Open WebUI versions prior to 0.9.5. The _validate_collection_access() function checks user-memory-* and file-* collection name prefixes but omits validation for knowledge base collections, which use raw UUIDs as collection names. Any authenticated user who knows a private knowledge base UUID can read its contents or write to it through the retrieval endpoints, despite the knowledge API correctly denying access.
Critical Impact
Authenticated attackers can read, inject, or overwrite content in other users' private knowledge bases, compromising confidentiality and integrity of AI retrieval data.
Affected Products
- Open WebUI versions prior to 0.9.5
- Self-hosted Open WebUI deployments with multi-user authentication
- Open WebUI instances exposing retrieval query and processing endpoints
Discovery Timeline
- 2026-05-15 - CVE-2026-45398 published to NVD
- 2026-05-19 - Last updated in NVD database
Technical Details for CVE-2026-45398
Vulnerability Analysis
The flaw resides in the _validate_collection_access() helper that gates retrieval endpoints in Open WebUI. The function inspects collection name prefixes for user-memory-* and file-* collections and applies authorization checks accordingly. Knowledge base collections do not follow these prefixes — they use raw UUIDs as their identifiers — so the validation logic never evaluates them.
As a result, the authorization check passes by default for any request referencing a knowledge base UUID. The knowledge API itself enforces ownership correctly, but the retrieval layer bypasses that enforcement entirely. An authenticated user who obtains or guesses a private knowledge base UUID can read the underlying vector store contents through query endpoints. The same gap affects the write-side endpoints /process/text, /process/file, /process/files/batch, /process/web, and /process/youtube, enabling content injection or overwrite attacks against another user's knowledge base.
Root Cause
The root cause is an incomplete authorization check in _validate_collection_access(). The function enumerates only two collection naming patterns and treats anything else as permissible, omitting the UUID-based knowledge base collections from access mediation. This is a classic authorization by obscurity pattern aligned with [CWE-639] Authorization Bypass Through User-Controlled Key.
Attack Vector
Exploitation requires network access to the Open WebUI instance and a valid authenticated session with low privileges. The attacker must obtain a target knowledge base UUID, which may leak through shared links, logs, exported documents, or enumeration. Once obtained, the attacker submits crafted requests to the retrieval query or processing endpoints referencing that UUID. The server returns or modifies the collection without verifying ownership.
Detection Methods for CVE-2026-45398
Indicators of Compromise
- Retrieval query requests where the authenticated user ID does not match the owner of the referenced knowledge base UUID
- Unexpected POST requests to /process/text, /process/file, /process/files/batch, /process/web, or /process/youtube referencing collection UUIDs outside the requester's owned set
- Unexplained modifications, additions, or content drift in knowledge base collections reported by users
Detection Strategies
- Correlate Open WebUI application logs with the knowledge base ownership table to flag cross-user collection access
- Monitor for high-volume UUID enumeration attempts against retrieval endpoints from single authenticated sessions
- Review access patterns for service accounts and low-privilege users touching knowledge bases they do not own
Monitoring Recommendations
- Enable verbose request logging on Open WebUI retrieval routes and forward logs to a centralized SIEM
- Alert on any 200-status response from /process/* endpoints where the target collection UUID is not in the caller's authorized set
- Track baseline knowledge base read and write volumes per user and alert on deviations
How to Mitigate CVE-2026-45398
Immediate Actions Required
- Upgrade Open WebUI to version 0.9.5 or later, which fixes the access control logic in _validate_collection_access()
- Audit knowledge base contents for unauthorized modifications or injected entries created before the upgrade
- Rotate or regenerate knowledge base UUIDs where exposure is suspected and review user access logs
Patch Information
The vulnerability is fixed in Open WebUI 0.9.5. The fix extends _validate_collection_access() to enforce ownership checks on UUID-based knowledge base collections in addition to the existing prefix-based collections. See the GitHub Security Advisory GHSA-4g37-7p2c-38r9 and the corresponding GitHub Pull Request #22109 for fix details. Release notes are available at the GitHub Release v0.9.5 page.
Workarounds
- Restrict Open WebUI access to trusted users only and disable open registration until patched
- Place the application behind an authenticating reverse proxy that enforces additional authorization on /retrieval/* and /process/* paths
- Temporarily disable the retrieval and knowledge processing features if upgrading immediately is not feasible
# Upgrade Open WebUI container to the patched release
docker pull ghcr.io/open-webui/open-webui:v0.9.5
docker stop open-webui && docker rm open-webui
docker run -d --name open-webui -p 3000:8080 \
-v open-webui:/app/backend/data \
ghcr.io/open-webui/open-webui:v0.9.5
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
