Main Vulnerability Database Vulnerabilities #VU130949

Missing Authentication for Critical Function in Open WebUI - #VU130949

Published: May 11, 2026

Vulnerability identifier: #VU130949

CSH Severity: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: N/A

CWE-ID: CWE-306

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Open WebUI

Software vendor:
Open WebUI

Description

The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to missing authentication in get_status() in backend/open_webui/routers/retrieval.py when handling GET requests to /api/v1/retrieval/. A remote attacker can send an unauthenticated request to disclose sensitive information.

The endpoint returns live RAG pipeline configuration values including the RAG template, embedding model, embedding engine, reranking model, and chunking parameters.

Remediation

Install security update from vendor's website.

External links

https://github.com/open-webui/open-webui/security/advisories/GHSA-65pg-qhhw-mxwg

Missing Authentication for Critical Function in Open WebUI - #VU130949

Description

Remediation

External links

Please verify you're human