PatchSiren cyber security CVE debrief
CVE-2026-45398 open-webui CVE debrief
Open WebUI versions prior to 0.9.5 contain an authorization bypass vulnerability in the `_validate_collection_access()` function. The function validates access for collections with `user-memory-*` and `file-*` prefixes but fails to enforce access controls on knowledge base collections, which use raw UUIDs as collection names. This gap allows any authenticated user who knows a private knowledge base UUID to read its contents through retrieval query endpoints and to inject or overwrite content via retrieval write endpoints including `/process/text`, `/process/file`, `/process/files/batch`, `/process/web`, and `/process/youtube`. The knowledge API correctly denies direct access, but the retrieval endpoints do not perform equivalent validation. The vulnerability was published on 2026-05-15 and last modified on 2026-05-19. It is classified as CWE-639 (Authorization Bypass Through User-Controlled Key).
- Vendor
- open-webui
- Product
- Unknown
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-15
- Original CVE updated
- 2026-05-19
- Advisory published
- 2026-05-15
- Advisory updated
- 2026-05-19
Who should care
Organizations running self-hosted Open WebUI instances prior to version 0.9.5, particularly those hosting multi-user environments with private knowledge bases containing sensitive information. Security teams responsible for AI/ML platform security and access control validation.
Technical summary
The `_validate_collection_access()` function in Open WebUI prior to 0.9.5 fails to validate access to knowledge base collections that use raw UUIDs as identifiers. Authenticated users with knowledge of a private knowledge base UUID can bypass intended access controls through retrieval endpoints. The vulnerability affects both read operations (query endpoints) and write operations (text, file, batch, web, and YouTube processing endpoints). The knowledge API correctly enforces authorization, creating a security control inconsistency. The fix in version 0.9.5 extends collection access validation to cover knowledge base UUID-based collections.
Defensive priority
HIGH
Recommended defensive actions
- Upgrade Open WebUI to version 0.9.5 or later to address the authorization bypass vulnerability
- Review knowledge base access logs for unauthorized retrieval queries or content modifications by authenticated users between deployment and patch application
- Implement network-level access controls to limit exposure of Open WebUI retrieval endpoints to authorized users only
- Monitor for anomalous access patterns to knowledge base collections, particularly from unexpected user accounts
- Validate that custom modifications to `_validate_collection_access()` or related authorization functions do not reintroduce the bypass condition
Evidence notes
The vulnerability description and affected versions are derived from the official CVE record and NVD entry. The authorization bypass mechanism is documented in the vendor security advisory. The fix version 0.9.5 is confirmed by release notes. CVSS 3.1 vector AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H indicates network attack vector, high attack complexity, low privileges required, no user interaction, and high impacts to confidentiality, integrity, and availability.
Official resources
-
CVE-2026-45398 CVE record
CVE.org
-
CVE-2026-45398 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Issue Tracking, Patch
-
Mitigation or vendor reference
[email protected] - Release Notes
-
Mitigation or vendor reference
[email protected] - Exploit, Mitigation, Vendor Advisory
2026-05-15T21:16:37.863Z