{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/open-web-ui/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Open WebUI"],"_cs_severities":["high"],"_cs_tags":["idor","authorization_bypass","data_manipulation"],"_cs_type":"advisory","_cs_vendors":["Open Web UI"],"content_html":"\u003cp\u003eOpen WebUI, a web interface for language models, is vulnerable to an Insecure Direct Object Reference (IDOR) vulnerability in its Retrieval API. This flaw, identified in commit \u003ccode\u003e4d058a125\u003c/code\u003e (v0.8.11) on March 26, 2026, allows authenticated users to bypass knowledge base access controls. Specifically, the \u003ccode\u003e_validate_collection_access\u003c/code\u003e function fails to properly validate access to knowledge base collections, which use UUIDs as collection names. As a result, an attacker who knows the UUID of a private knowledge base can read its contents, inject malicious content, or even overwrite the entire knowledge base through the retrieval query endpoints. This vulnerability exists because the validation function only checks for \u0026ldquo;user-memory-\u003cem\u003e\u0026rdquo; and \u0026ldquo;file-\u003c/em\u003e\u0026rdquo; prefixes, leaving knowledge base UUIDs unchecked. This vulnerability is reachable in default configurations, affecting any non-admin account.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker obtains an authenticated account on the Open WebUI instance.\u003c/li\u003e\n\u003cli\u003eVictim user creates a private knowledge base containing sensitive information.\u003c/li\u003e\n\u003cli\u003eAttacker discovers the UUID of the victim\u0026rsquo;s knowledge base through methods such as shared workspaces, model metadata leakage via the \u003ccode\u003e/api/models/list\u003c/code\u003e endpoint, URL leakage, or RAG citation metadata in shared chats.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious POST request to \u003ccode\u003e/api/v1/retrieval/query/doc\u003c/code\u003e or \u003ccode\u003e/api/v1/retrieval/query/collection\u003c/code\u003e with the victim\u0026rsquo;s knowledge base UUID as the \u003ccode\u003ecollection_name\u003c/code\u003e, bypassing authorization checks and reading the contents of the knowledge base.\u003c/li\u003e\n\u003cli\u003eAlternatively, the attacker crafts a POST request to \u003ccode\u003e/api/v1/retrieval/process/text\u003c/code\u003e with the victim\u0026rsquo;s knowledge base UUID as the \u003ccode\u003ecollection_name\u003c/code\u003e to inject attacker-controlled content into the knowledge base.\u003c/li\u003e\n\u003cli\u003eOr, the attacker crafts a POST request to \u003ccode\u003e/api/v1/retrieval/process/web\u003c/code\u003e or \u003ccode\u003e/api/v1/retrieval/process/youtube\u003c/code\u003e with the victim\u0026rsquo;s knowledge base UUID as the \u003ccode\u003ecollection_name\u003c/code\u003e to overwrite the victim\u0026rsquo;s entire knowledge base.\u003c/li\u003e\n\u003cli\u003eThe injected or replaced content is then used in downstream RAG processes, potentially leading to the exposure of sensitive information or prompt injection attacks.\u003c/li\u003e\n\u003cli\u003eThe attacker successfully compromises the confidentiality, integrity, and availability of the victim\u0026rsquo;s knowledge base.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis vulnerability allows unauthorized access to private knowledge bases, potentially exposing sensitive information. Attackers can inject malicious content, leading to integrity breaches and potential prompt injection attacks. The ability to overwrite knowledge bases leads to availability issues and data destruction. A successful attack can compromise the confidentiality, integrity, and availability of user data, potentially affecting all users of the Open WebUI instance.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the following Sigma rule to detect unauthorized access to knowledge bases by monitoring API requests containing UUID-formatted \u003ccode\u003ecollection_name\u003c/code\u003e parameters: \u003ccode\u003eDetect Open WebUI Unauthorized Knowledge Base Access\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Open WebUI Knowledge Base Manipulation via Retrieval API\u003c/code\u003e to identify malicious POST requests to \u003ccode\u003e/api/v1/retrieval/process/*\u003c/code\u003e endpoints with knowledge base UUIDs as \u003ccode\u003ecollection_name\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eApply the remediation steps suggested in the original advisory by checking permission on the KB collection in the \u003ccode\u003e_validate_collection_access\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for unusual activity related to the vulnerable endpoints (\u003ccode\u003e/api/v1/retrieval/query/doc\u003c/code\u003e, \u003ccode\u003e/api/v1/retrieval/query/collection\u003c/code\u003e, \u003ccode\u003e/api/v1/retrieval/process/text\u003c/code\u003e, \u003ccode\u003e/api/v1/retrieval/process/web\u003c/code\u003e, \u003ccode\u003e/api/v1/retrieval/process/youtube\u003c/code\u003e, \u003ccode\u003e/api/v1/retrieval/process/file\u003c/code\u003e, \u003ccode\u003e/api/v1/retrieval/process/files/batch\u003c/code\u003e).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-14T20:32:37Z","date_published":"2026-05-14T20:32:37Z","id":"https://feed.craftedsignal.io/briefs/2026-05-open-webui-idor/","summary":"Open WebUI is vulnerable to an IDOR vulnerability in its Retrieval API that bypasses knowledge base access controls, allowing any authenticated user who knows a private knowledge base UUID to read, inject content into, or overwrite another user's knowledge base.","title":"Open WebUI IDOR Vulnerability in Retrieval API Allows Unauthorized Access and Modification of Knowledge Bases","url":"https://feed.craftedsignal.io/briefs/2026-05-open-webui-idor/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["open-webui (\u003c= 0.8.12)"],"_cs_severities":["high"],"_cs_tags":["privilege-escalation","time-of-check-time-of-use","race-condition","cve-2026-45675","cloud"],"_cs_type":"advisory","_cs_vendors":["Open Web UI"],"content_html":"\u003cp\u003eOpen WebUI versions 0.8.12 and earlier are vulnerable to a time-of-check-time-of-use (TOCTOU) race condition in the LDAP and OAuth authentication flows. This vulnerability, identified as CVE-2026-45675, occurs because the LDAP and OAuth authentication code paths determine the admin role \u003cem\u003ebefore\u003c/em\u003e inserting the user into the database. This creates a race condition where multiple concurrent requests to a new Open WebUI instance can all observe an empty user database and, consequently, all be assigned the admin role. The vulnerability was resolved in version 0.9.0 with a change to assign a default role upon user creation, then upgrading that role to admin only if the new user is the sole user in the database. This impacts deployments utilizing LDAP or OAuth for authentication.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eDeploy Open WebUI version 0.8.12 or earlier on a fresh instance with either LDAP or OAuth enabled for authentication.\u003c/li\u003e\n\u003cli\u003eAn attacker initiates multiple concurrent authentication requests from different user accounts.\u003c/li\u003e\n\u003cli\u003eEach authentication request reaches the \u003ccode\u003ehas_users()\u003c/code\u003e or \u003ccode\u003eget_num_users()\u003c/code\u003e function in \u003ccode\u003eauths.py\u003c/code\u003e or \u003ccode\u003eoauth.py\u003c/code\u003e respectively.\u003c/li\u003e\n\u003cli\u003eDue to the concurrent nature of the requests, multiple requests simultaneously observe an empty user database.\u003c/li\u003e\n\u003cli\u003eThe system incorrectly assigns the \u003ccode\u003eadmin\u003c/code\u003e role to each of these concurrent requests based on the flawed check.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eAuths.insert_new_auth\u003c/code\u003e inserts multiple users, all with the \u003ccode\u003eadmin\u003c/code\u003e role.\u003c/li\u003e\n\u003cli\u003eThe attackers gain unauthorized administrative access to the Open WebUI instance.\u003c/li\u003e\n\u003cli\u003eAttackers can then access sensitive user data, system configurations, API keys, and connected LLM backends.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-45675 allows any LDAP or OAuth user who authenticates concurrently with the initial legitimate administrator to escalate their privileges to full admin. This grants unauthorized access to all user data, system configurations, API keys, and connected LLM backends. The number of affected installations depends on the adoption rate of Open WebUI and the prevalence of LDAP/OAuth usage, but this vulnerability poses a significant risk to data confidentiality and integrity for affected deployments. The fix was released in v0.9.0.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Open WebUI to version 0.9.0 or later to remediate CVE-2026-45675.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Open WebUI Multiple Admin Account Creation\u0026rdquo; to monitor for potential exploitation attempts (rule below).\u003c/li\u003e\n\u003cli\u003eIf upgrading is not immediately feasible, consider temporarily disabling LDAP/OAuth authentication and relying on local accounts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-14T20:30:23Z","date_published":"2026-05-14T20:30:23Z","id":"https://feed.craftedsignal.io/briefs/2026-05-open-webui-admin-race/","summary":"Open WebUI versions 0.8.12 and earlier are vulnerable to a time-of-check-time-of-use (TOCTOU) race condition in the LDAP and OAuth authentication flows, allowing multiple concurrent requests on a fresh instance to bypass the first-user admin role assignment and resulting in multiple admin accounts (CVE-2026-45675).","title":"Open WebUI LDAP/OAuth Race Condition Allows Multiple Admin Accounts (CVE-2026-45675)","url":"https://feed.craftedsignal.io/briefs/2026-05-open-webui-admin-race/"}],"language":"en","title":"CraftedSignal Threat Feed — Open Web UI","version":"https://jsonfeed.org/version/1.1"}