Improper Neutralization of Special Elements in Data Query Logic in Open WebUI - CVE-2026-54019
Published: June 30, 2026
Open WebUI
Detailed vulnerability description
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to improper neutralization of special elements in data query logic in the Milvus multitenancy retrieval query handling when processing user-supplied collection names. A remote user can send a specially crafted query request to disclose sensitive information.
Only deployments using Milvus multitenancy mode are vulnerable, and no user interaction is required.