CVE-2026-45397 open-webui CVE debrief

Who should care

Organizations running self-hosted Open WebUI instances for internal AI workloads, particularly those with multi-tenant deployments or exposure to untrusted networks. Security teams responsible for AI/ML infrastructure governance and compliance officers evaluating data protection controls in RAG implementations.

Technical summary

The vulnerability exists in the FastAPI router handling retrieval operations. While the /embedding and /config endpoints correctly implement the get_admin_user dependency for administrative access control, the GET handler for the base /retrieval/ path lacks any authentication requirement. This allows unauthenticated retrieval of live RAG pipeline configuration including model settings, chunking parameters, and vector store connection details. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) reflects network accessibility, low attack complexity, no privilege requirements, and confidentiality impact without integrity or availability effects.

Defensive priority

medium

Recommended defensive actions

• Upgrade Open WebUI to version 0.9.5 or later
• If immediate patching is not feasible, restrict network access to the /api/v1/retrieval/ endpoint at the reverse proxy or firewall layer
• Audit access logs for unauthorized requests to /api/v1/retrieval/ prior to patch deployment
• Verify that other administrative endpoints in the /api/v1/retrieval/ router maintain proper authentication requirements after upgrade

Evidence notes

The vulnerability was disclosed through GitHub Security Advisories with explicit vendor acknowledgment. The NVD record confirms the affected version range and CVSS scoring. The vendor advisory provides both exploit confirmation and mitigation guidance.

Official resources