CVE-2026-44560 open-webui CVE debrief

Who should care

Organizations running self-hosted Open WebUI instances prior to 0.9.0 with multi-user deployments where knowledge bases and file collections contain sensitive or compartmentalized information. Particularly relevant for environments with strict data segregation requirements between user groups or projects.

Technical summary

The vulnerability exists in the `get_sources_from_items` function where three specific input types fail to perform authorization validation before executing vector store queries: (1) `type:

Defensive priority

medium

Recommended defensive actions

• Upgrade Open WebUI to version 0.9.0 or later to address the authorization bypass
• Review access controls on existing knowledge bases and file collections for unauthorized access patterns
• Audit vector store query logs for anomalous access to collections by users without explicit permissions
• Implement network segmentation to limit exposure of Open WebUI instances to untrusted networks
• Monitor for repeated queries against diverse collection names that may indicate enumeration attempts

Evidence notes

Authorization checks are missing for vector store queries when processing file references, text items with collection_name, and bare collection_name/collection_names parameters. This allows authenticated users to extract content from files and knowledge bases without proper access controls. The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N) indicates network attack vector, low attack complexity, low privileges required, no user interaction, unchanged scope, high confidentiality impact, with no integrity or availability impact.

Official resources