3 matches found
CVE-2026-44560 Open WebUI: Unauthorized File and Knowledge Base Content Access via RAG Vector Search
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, the type: "file" non-full-context, type: "text" with collectionname, and bare collectionname/collectionnames paths in the getsourcesfromitems function perform vector store queries...
GHSA-H36F-RQPX-J5WX Open WebUI has Unauthorized File and Knowledge Base Content Access via RAG Vector Search
Unauthorized File and Knowledge Base Content Access via RAG Vector Search Affected Component RAG source resolution in chat completion pipeline: - backend/openwebui/retrieval/utils.py lines 963-965, 1063-1068, 1126-1131 in getsourcesfromitems Affected Versions Current main branch commit 6fdd19bf1...
PT-2026-39277
Name of the Vulnerable Software and Affected Versions Open WebUI versions prior to 0.9.0 Description The get sources from items function resolves file and knowledge base references into vector search queries during chat completion. Certain code paths perform vector store queries without...