2 matches found
CVE-2026-44557 Open WebUI: Global Knowledge Base Enumeration via knowledge-bases Meta-Collection
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, the validatecollectionaccess function uses an incomplete allowlist that only enforces ownership checks for collections matching user-memory- and file- patterns. All other collection...
Open WebUI vulnerable to Global Knowledge Base Enumeration via knowledge-bases Meta-Collection
Global Knowledge Base Enumeration via knowledge-bases Meta-Collection Affected Component Retrieval collection access validation: - backend/openwebui/routers/retrieval.py lines 2330-2355, validatecollectionaccess - backend/openwebui/routers/retrieval.py query endpoints, e.g. POST /query/doc Affect...