Improper Access Control in Open WebUI Affects User Knowledge Bases
CVE-2026-45398

7.5HIGH

Key Information:

Vendor

Open-webui

Status
Open-webui
Vendor
CVE Published:
15 May 2026

What is CVE-2026-45398?

The Open WebUI platform, designed for offline artificial intelligence operations, contains a vulnerability that allows authenticated users to access private knowledge bases if they possess the UUID of the collection. The affected method, _validate_collection_access(), inadequately checks user permissions for knowledge base collections, enabling unauthorized access to sensitive information. Additionally, this flaw permits attackers to inject or overwrite contents in a user's knowledge base through various retrieval query endpoints. This issue has been addressed in Open WebUI version 0.9.5.

Affected Version(s)

open-webui < 0.9.5

References

https://github.com/open-webui/open-webui/security/advisor...
x_refsource_CONFIRM
https://github.com/open-webui/open-webui/pull/22109
x_refsource_MISC
https://github.com/open-webui/open-webui/releases/tag/v0.9.5
x_refsource_MISC

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.