PatchSiren cyber security CVE debrief
CVE-2026-44557 open-webui CVE debrief
Open WebUI versions prior to 0.9.0 contain an authorization bypass vulnerability in the `_validate_collection_access` function. The function uses an incomplete allowlist that only enforces ownership checks for collections matching `user-memory-*` and `file-*` patterns. All other collection names pass through unchecked, including the system-level `knowledge-bases` meta-collection that stores IDs, names, and descriptions of every knowledge base on the instance. Any authenticated user can query this meta-collection directly via retrieval query endpoints to obtain a global index of all knowledge bases across all users. This represents a confidentiality impact where authenticated attackers can enumerate knowledge base metadata belonging to other users. The vulnerability was published on 2026-05-15 and last modified on 2026-05-19. It is rated CVSS 4.3 (Medium severity).
- Vendor
- open-webui
- Product
- Unknown
- CVSS
- MEDIUM 4.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-15
- Original CVE updated
- 2026-05-19
- Advisory published
- 2026-05-15
- Advisory updated
- 2026-05-19
Who should care
Organizations running self-hosted Open WebUI instances with multiple users or sensitive knowledge base content should prioritize this patch. Security teams should assess whether knowledge base metadata exposure poses compliance or operational risks in their environment.
Technical summary
The `_validate_collection_access` function in Open WebUI implements an allowlist-based authorization check that only validates ownership for collections matching specific patterns (`user-memory-*` and `file-*`). The `knowledge-bases` meta-collection, which contains metadata for all knowledge bases across the instance, is not covered by this allowlist. Authenticated users can directly query this collection through standard retrieval API endpoints without ownership verification, resulting in unauthorized information disclosure. The vulnerability is classified as CWE-863 (Incorrect Authorization) and affects all versions prior to 0.9.0.
Defensive priority
medium
Recommended defensive actions
- Upgrade Open WebUI to version 0.9.0 or later to remediate this vulnerability
- Review access controls on retrieval query endpoints to ensure proper authorization checks for all collection types
- Audit knowledge base metadata exposure and consider whether `knowledge-bases` collection access should be further restricted
- Monitor access logs for unusual queries to the `knowledge-bases` meta-collection from authenticated users
- If immediate patching is not possible, consider implementing additional access control layers at the reverse proxy or API gateway level
Evidence notes
The vulnerability description is sourced from the official NVD record and GitHub Security Advisory. The incomplete allowlist pattern and specific collection names (`user-memory-*`, `file-*`, `knowledge-bases`) are documented in the CVE description. The affected version range (prior to 0.9.0) and fix version (0.9.0) are confirmed through NVD CPE criteria and advisory references.
Official resources
-
CVE-2026-44557 CVE record
CVE.org
-
CVE-2026-44557 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Exploit, Vendor Advisory
2026-05-15T20:16:47.227Z