https://feed.craftedsignal.io/vendors/open-web-ui/Trending threats, MITRE ATT&CK coverage, and detection metadata. Fed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioThu, 14 May 2026 20:32:37 +0000https://feed.craftedsignal.io/briefs/2026-05-open-webui-idor/Thu, 14 May 2026 20:32:37 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-05-open-webui-idor/Open WebUI is vulnerable to an IDOR vulnerability in its Retrieval API that bypasses knowledge base access controls, allowing any authenticated user who knows a private knowledge base UUID to read, inject content into, or overwrite another user's knowledge base.Open WebUI, a web interface for language models, is vulnerable to an Insecure Direct Object Reference (IDOR) vulnerability in its Retrieval API. This flaw, identified in commit 4d058a125 (v0.8.11) on March 26, 2026, allows authenticated users to bypass knowledge base access controls. Specifically, the _validate_collection_access function fails to properly validate access to knowledge base collections, which use UUIDs as collection names. As a result, an attacker who knows the UUID of a private knowledge base can read its contents, inject malicious content, or even overwrite the entire knowledge base through the retrieval query endpoints. This vulnerability exists because the validation function only checks for “user-memory-” and “file-” prefixes, leaving knowledge base UUIDs unchecked. This vulnerability is reachable in default configurations, affecting any non-admin account.

Attack Chain

1. Attacker obtains an authenticated account on the Open WebUI instance.
2. Victim user creates a private knowledge base containing sensitive information.
3. Attacker discovers the UUID of the victim’s knowledge base through methods such as shared workspaces, model metadata leakage via the /api/models/list endpoint, URL leakage, or RAG citation metadata in shared chats.
4. Attacker crafts a malicious POST request to /api/v1/retrieval/query/doc or /api/v1/retrieval/query/collection with the victim’s knowledge base UUID as the collection_name, bypassing authorization checks and reading the contents of the knowledge base.
5. Alternatively, the attacker crafts a POST request to /api/v1/retrieval/process/text with the victim’s knowledge base UUID as the collection_name to inject attacker-controlled content into the knowledge base.
6. Or, the attacker crafts a POST request to /api/v1/retrieval/process/web or /api/v1/retrieval/process/youtube with the victim’s knowledge base UUID as the collection_name to overwrite the victim’s entire knowledge base.
7. The injected or replaced content is then used in downstream RAG processes, potentially leading to the exposure of sensitive information or prompt injection attacks.
8. The attacker successfully compromises the confidentiality, integrity, and availability of the victim’s knowledge base.

Impact

This vulnerability allows unauthorized access to private knowledge bases, potentially exposing sensitive information. Attackers can inject malicious content, leading to integrity breaches and potential prompt injection attacks. The ability to overwrite knowledge bases leads to availability issues and data destruction. A successful attack can compromise the confidentiality, integrity, and availability of user data, potentially affecting all users of the Open WebUI instance.

Recommendation

• Deploy the following Sigma rule to detect unauthorized access to knowledge bases by monitoring API requests containing UUID-formatted collection_name parameters: Detect Open WebUI Unauthorized Knowledge Base Access.
• Deploy the Sigma rule Detect Open WebUI Knowledge Base Manipulation via Retrieval API to identify malicious POST requests to /api/v1/retrieval/process/* endpoints with knowledge base UUIDs as collection_name.
• Apply the remediation steps suggested in the original advisory by checking permission on the KB collection in the _validate_collection_access function.
• Monitor web server logs for unusual activity related to the vulnerable endpoints (/api/v1/retrieval/query/doc, /api/v1/retrieval/query/collection, /api/v1/retrieval/process/text, /api/v1/retrieval/process/web, /api/v1/retrieval/process/youtube, /api/v1/retrieval/process/file, /api/v1/retrieval/process/files/batch).

]]>highadvisoryidorauthorization_bypassdata_manipulationhttps://feed.craftedsignal.io/briefs/2026-05-open-webui-admin-race/Thu, 14 May 2026 20:30:23 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-05-open-webui-admin-race/Open WebUI versions 0.8.12 and earlier are vulnerable to a time-of-check-time-of-use (TOCTOU) race condition in the LDAP and OAuth authentication flows, allowing multiple concurrent requests on a fresh instance to bypass the first-user admin role assignment and resulting in multiple admin accounts (CVE-2026-45675).Open WebUI versions 0.8.12 and earlier are vulnerable to a time-of-check-time-of-use (TOCTOU) race condition in the LDAP and OAuth authentication flows. This vulnerability, identified as CVE-2026-45675, occurs because the LDAP and OAuth authentication code paths determine the admin role before inserting the user into the database. This creates a race condition where multiple concurrent requests to a new Open WebUI instance can all observe an empty user database and, consequently, all be assigned the admin role. The vulnerability was resolved in version 0.9.0 with a change to assign a default role upon user creation, then upgrading that role to admin only if the new user is the sole user in the database. This impacts deployments utilizing LDAP or OAuth for authentication.

Attack Chain

1. Deploy Open WebUI version 0.8.12 or earlier on a fresh instance with either LDAP or OAuth enabled for authentication.
2. An attacker initiates multiple concurrent authentication requests from different user accounts.
3. Each authentication request reaches the has_users() or get_num_users() function in auths.py or oauth.py respectively.
4. Due to the concurrent nature of the requests, multiple requests simultaneously observe an empty user database.
5. The system incorrectly assigns the admin role to each of these concurrent requests based on the flawed check.
6. Auths.insert_new_auth inserts multiple users, all with the admin role.
7. The attackers gain unauthorized administrative access to the Open WebUI instance.
8. Attackers can then access sensitive user data, system configurations, API keys, and connected LLM backends.

Impact

Successful exploitation of CVE-2026-45675 allows any LDAP or OAuth user who authenticates concurrently with the initial legitimate administrator to escalate their privileges to full admin. This grants unauthorized access to all user data, system configurations, API keys, and connected LLM backends. The number of affected installations depends on the adoption rate of Open WebUI and the prevalence of LDAP/OAuth usage, but this vulnerability poses a significant risk to data confidentiality and integrity for affected deployments. The fix was released in v0.9.0.

Recommendation

• Upgrade Open WebUI to version 0.9.0 or later to remediate CVE-2026-45675.
• Deploy the Sigma rule “Detect Open WebUI Multiple Admin Account Creation” to monitor for potential exploitation attempts (rule below).
• If upgrading is not immediately feasible, consider temporarily disabling LDAP/OAuth authentication and relying on local accounts.

]]>highadvisoryprivilege-escalationtime-of-check-time-of-userace-conditioncve-2026-45675cloud