Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-54019

CVE-2026-54019: Open WebUI Auth Bypass Vulnerability

CVE-2026-54019 is an authentication bypass flaw in Open WebUI that exploits collection-level ACL checks in Milvus multitenancy mode. This article covers the technical details, affected versions, impact, and mitigation.

Published:

CVE-2026-54019 Overview

CVE-2026-54019 affects Open WebUI, a self-hosted artificial intelligence platform designed to operate entirely offline. Versions prior to 0.9.6 contain an incomplete access control fix that attackers can bypass when Milvus multitenancy mode is enabled. The collection-level access control list (ACL) treats unknown non-knowledge-base collection names as legacy or ephemeral collections. In multitenancy mode, the user-controlled collection name is interpolated into a Milvus expression without escaping, producing an expression injection condition. The flaw is an incomplete fix for CVE-2026-44560 and is categorized under [CWE-862] Missing Authorization.

Critical Impact

Authenticated users can bypass ACL enforcement and inject Milvus filter expressions to access data across tenant boundaries in vulnerable Open WebUI deployments.

Affected Products

  • Open WebUI versions prior to 0.9.6
  • Deployments with Milvus multitenancy mode enabled
  • Self-hosted Open WebUI instances using Milvus as the vector store backend

Discovery Timeline

  • 2026-06-23 - CVE-2026-54019 published to the National Vulnerability Database
  • 2026-06-25 - Last updated in NVD database

Technical Details for CVE-2026-54019

Vulnerability Analysis

The vulnerability resides in Open WebUI's collection-level ACL enforcement layer. The patch added in response to CVE-2026-44560 introduced ACL checks for knowledge-base collections but retained a permissive branch for collections that do not match known knowledge-base identifiers. The ACL classifies these unknown names as legacy or ephemeral and permits access. When Milvus multitenancy mode is active, that same user-controlled string flows into a Milvus filter expression as a resource_id value. The platform does not escape or quote the value before interpolation. An authenticated attacker can supply a crafted collection name that alters the resulting expression and influences the rows returned by Milvus.

Root Cause

The root cause is missing authorization combined with unsafe string interpolation. The ACL trusts collection names that fall outside the knowledge-base registry, and the Milvus query builder concatenates the resulting resource_id directly into a filter expression without parameterization or escaping. The fix in CVE-2026-44560 closed the known-collection path but did not constrain the legacy or ephemeral branch.

Attack Vector

The attack vector is network-based and requires low-privilege authentication. An attacker with a valid Open WebUI account submits a request referencing a collection name that the ACL does not recognize as a managed knowledge base. The crafted name contains Milvus expression syntax that, once interpolated, modifies the predicate evaluated by the vector store. The result is unauthorized read access to vector data belonging to other tenants. The CWE-862 classification reflects the underlying missing authorization condition. Refer to the Open WebUI Security Advisory GHSA-p5cp-r7rg-qpxc for vendor-provided technical detail.

Detection Methods for CVE-2026-54019

Indicators of Compromise

  • Requests to Open WebUI retrieval endpoints containing collection names with Milvus expression operators such as ||, &&, in, or quote characters.
  • Milvus query logs showing filter expressions with unexpected resource_id values or compound predicates originating from API-driven sessions.
  • Access patterns where a single authenticated user references collection identifiers spanning multiple tenants.

Detection Strategies

  • Inspect application logs for collection name parameters that contain non-alphanumeric characters or whitespace prior to reaching the Milvus client.
  • Correlate Open WebUI audit events with Milvus server-side query logs to identify expressions that deviate from the expected single resource_id equality pattern.
  • Alert on retrieval responses returning vectors whose tenant attribute does not match the requesting user's tenant.

Monitoring Recommendations

  • Enable verbose query logging on Milvus and ship logs to a centralized analytics platform for retrospective analysis.
  • Track the rate of failed and successful collection lookups per user to surface enumeration attempts.
  • Monitor the installed Open WebUI version across all hosts and flag any instance running below 0.9.6.

How to Mitigate CVE-2026-54019

Immediate Actions Required

  • Upgrade Open WebUI to version 0.9.6 or later on every self-hosted instance.
  • Audit Milvus query and Open WebUI access logs for evidence of crafted collection names submitted before the upgrade.
  • Rotate API tokens and session credentials for users who may have exercised the vulnerable code path.

Patch Information

The vendor fixed the issue in Open WebUI 0.9.6. The patched release tightens the ACL so that unknown collection names no longer fall through to the legacy or ephemeral branch when Milvus multitenancy is enabled, and it sanitizes the resource_id value used in Milvus expressions. Patch details are published in the Open WebUI GitHub Security Advisory GHSA-p5cp-r7rg-qpxc.

Workarounds

  • Disable Milvus multitenancy mode until the upgrade to 0.9.6 is complete, accepting the operational trade-offs of single-tenant configuration.
  • Restrict Open WebUI accounts to trusted users and remove unused accounts to limit the authenticated attack surface.
  • Place Open WebUI behind a reverse proxy that rejects request parameters containing Milvus expression metacharacters in collection name fields.
bash
# Upgrade Open WebUI to the patched release
pip install --upgrade "open-webui>=0.9.6"

# Verify installed version
python -c "import open_webui; print(open_webui.__version__)"

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.