GHSA-4g37-7p2c-38r9: Open WebUI Vulnerable to IDOR: Retrieval API Bypasses Knowledge Base Access Controls
highvulnerability
security
Summary
Open WebUI has a vulnerability where the `_validate_collection_access()` function (a security check) only blocks access to collections with specific name prefixes, but knowledge bases use raw UUIDs (unique identifiers) as collection names, so the check skips them entirely. Any logged-in user who knows a private knowledge base's UUID can read its contents or inject fake data into it through the retrieval API endpoints, even though the knowledge API itself correctly blocks that access.
Vulnerability Details
EPSS (30-day exploit probability)
EPSS: 0.0%
Patch Available
Yes
Disclosure Date
May 14, 2026
Classification
Attack Type
RAG Poisoning
Attack SophisticationModerate
Impact (CIA+S)
confidentialityintegrity
Affected Vendors
Affected Packages
open-webui@<= 0.9.4 (fixed: 0.9.5)
Related Issues
Monthly digest — independent AI security research
Original source: https://github.com/advisories/GHSA-4g37-7p2c-38r9
First tracked: May 14, 2026 at 08:00 PM
Classified by LLM (prompt v3) · confidence: 92%