Main Vulnerability Database Vulnerabilities #VU130174

Improper access control in Open WebUI - #VU130174

Published: May 5, 2026

Vulnerability identifier: #VU130174

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: N/A

CWE-ID: CWE-284

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Open WebUI

Affected software:
Open WebUI

Detailed vulnerability description

The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to improper access control in get_sources_from_items in the RAG source resolution logic when processing chat completion requests that reference file or knowledge base vector collections. A remote user can send a specially crafted chat completion request referencing a target file ID or knowledge base collection name to disclose sensitive information.

Exploitation requires knowledge of the target file ID or knowledge base ID, and the target resource must already be processed into the vector store.

Remediation

Install security update from vendor's website.

Sources

https://github.com/open-webui/open-webui/security/advisories/GHSA-h36f-rqpx-j5wx

Improper access control in Open WebUI - #VU130174

Detailed vulnerability description

Remediation

Sources

Please verify you're human