Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-54016

CVE-2026-54016: Open WebUI Auth Bypass Vulnerability

CVE-2026-54016 is an authorization bypass flaw in Open WebUI allowing unauthorized access to knowledge base file metadata. This article covers the technical details, affected versions, and mitigation steps.

Published:

CVE-2026-54016 Overview

CVE-2026-54016 is a Broken Object Level Authorization (BOLA) vulnerability in Open WebUI, a self-hosted artificial intelligence platform. The flaw exists in the builtin search_knowledge_files tool in versions prior to 0.9.6. When native function calling is enabled and the selected model has no attached knowledge bases, an authenticated user can invoke search_knowledge_files with an arbitrary knowledge_id. The function returns file metadata from the targeted knowledge base without verifying the caller's read access. This enables unauthorized enumeration of private or restricted knowledge base files across tenant boundaries. The issue is tracked under [CWE-639] and fixed in version 0.9.6.

Critical Impact

Authenticated users can enumerate file metadata from knowledge bases they are not authorized to access, exposing the contents of private or restricted AI knowledge stores.

Affected Products

  • Open WebUI versions prior to 0.9.6
  • Deployments with native function calling enabled
  • Models configured without attached knowledge bases

Discovery Timeline

  • 2026-06-23 - CVE-2026-54016 published to NVD
  • 2026-06-25 - Last updated in NVD database

Technical Details for CVE-2026-54016

Vulnerability Analysis

The vulnerability resides in Open WebUI's builtin search_knowledge_files tool, exposed to large language models through native function calling. The tool accepts a knowledge_id parameter that identifies the target knowledge base to query. Under normal conditions, when a model has knowledge bases attached, the assistant routes lookups through those bound identifiers. The defect appears when the selected model has no attached knowledge bases. In that code path, the tool processes whatever knowledge_id an authenticated user supplies and returns file metadata from the referenced knowledge base. The authorization check that should confirm the calling user has read permission on the target knowledge base is missing. An attacker with any valid Open WebUI account can therefore enumerate knowledge bases belonging to other users or restricted groups. The exposed metadata can reveal filenames, document identifiers, and structural information about private corpora used for retrieval-augmented generation.

Root Cause

The root cause is missing object-level authorization on the knowledge_id parameter. The handler trusts the model-supplied identifier and queries the data store directly. There is no verification step matching the requesting user's identity against the knowledge base's access control list.

Attack Vector

Exploitation requires an authenticated session and network access to the Open WebUI instance. The attacker selects a model with no attached knowledge bases, then issues a prompt that triggers the search_knowledge_files function call with a guessed or known knowledge_id. The response contains metadata from the targeted knowledge base. No user interaction beyond the attacker's own prompt is required.

No public proof-of-concept code is available. See the GitHub Security Advisory for vendor-provided technical details.

Detection Methods for CVE-2026-54016

Indicators of Compromise

  • Tool-call audit log entries showing search_knowledge_files invocations with knowledge_id values that do not belong to the calling user.
  • Repeated search_knowledge_files calls from a single account referencing varied or sequential knowledge_id values, indicating enumeration.
  • Function-call activity from accounts against models that have no knowledge bases attached.

Detection Strategies

  • Correlate Open WebUI application logs with the user-to-knowledge-base ownership mapping and flag mismatches.
  • Alert on high-frequency tool invocations referencing distinct knowledge_id parameters within short time windows.
  • Monitor for accounts querying knowledge bases never opened through the standard UI workflow.

Monitoring Recommendations

  • Forward Open WebUI access and tool-call logs to a centralized log platform for retention and analysis.
  • Establish a baseline of expected search_knowledge_files usage per user and alert on deviations.
  • Review authentication logs for newly created or dormant accounts exhibiting knowledge enumeration behavior.

How to Mitigate CVE-2026-54016

Immediate Actions Required

  • Upgrade Open WebUI to version 0.9.6 or later, which contains the authorization fix.
  • Audit existing knowledge bases for sensitivity and rotate or relocate any content suspected of exposure.
  • Review authenticated user accounts and disable inactive or unnecessary identities to reduce the attack surface.

Patch Information

The vulnerability is fixed in Open WebUI 0.9.6. The patch adds an authorization check that validates the caller's read access against the requested knowledge_id before returning file metadata. Refer to the GitHub Security Advisory GHSA-cx9v-4qj2-jrw6 for release notes and upgrade guidance.

Workarounds

  • Disable native function calling on models that do not require tool use until the upgrade is applied.
  • Restrict Open WebUI access to trusted users through network controls or single sign-on policies.
  • Attach an empty or sentinel knowledge base to models to avoid the vulnerable code path where no knowledge bases are bound.
bash
# Upgrade Open WebUI to the fixed release
pip install --upgrade open-webui==0.9.6

# Or for Docker deployments
docker pull ghcr.io/open-webui/open-webui:0.9.6
docker stop open-webui && docker rm open-webui
docker run -d --name open-webui ghcr.io/open-webui/open-webui:0.9.6

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.