Main Vulnerability Database Vulnerabilities #VU130169

Improper access control in Open WebUI - #VU130169

Published: May 5, 2026

Vulnerability identifier: #VU130169

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: N/A

CWE-ID: CWE-284

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Open WebUI

Affected software:
Open WebUI

Detailed vulnerability description

The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to improper access control in retrieval query endpoints when querying the knowledge-bases meta-collection. A remote user can send a specially crafted request to disclose sensitive information.

The issue exposes knowledge base metadata, including IDs, names, and descriptions, across all users on the instance.

Remediation

Install security update from vendor's website.

Sources

https://github.com/open-webui/open-webui/security/advisories/GHSA-6c2x-gcp3-gp73

Improper access control in Open WebUI - #VU130169

Detailed vulnerability description

Remediation

Sources

Please verify you're human