PT-2026-50488 · Pypi · Open-Webui

Publicado

2026-06-17

·

Atualizado

2026-06-17

·

CVE-2026-54016

CVSS v3.1

4.3

Média

VetorAV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Summary

Open WebUI has a Broken Object Level Authorization (BOLA) vulnerability in the builtin search knowledge files tool.
When native function calling is enabled and the selected model has no attached knowledge bases, an authenticated user can call search knowledge files with an arbitrary knowledge id. The function then returns file metadata from that knowledge base without checking whether the user has read access.
This allows unauthorized enumeration of private or restricted knowledge base files.

Details

The vulnerable code is in:
backend/open webui/tools/builtin.py
Affected function:
python
async def search knowledge files(
  query: str,
  knowledge id: Optional[str] = None,
  count: int = 5,
  skip: int = 0,
   request : Request = None,
   user : dict = None,
   model knowledge : Optional[list[dict]] = None,
) -> str:
In the "No attached knowledge" branch, when knowledge id is provided, the function directly calls:
python
result = await Knowledges.search files by id(
  knowledge id=knowledge id,
  user id=user id,
  filter={"query": query},
  skip=skip,
  limit=count,
)
This code path does not verify that the current user is authorized to access the specified knowledge base.
The missing check is inconsistent with other nearby code paths. For example, the attached-knowledge branch in the same function checks whether the user is an admin, the owner of the knowledge base, or has explicit read access through AccessGrants:
python
if not (
  user role == "admin"
  or knowledge.user id == user id
  or await AccessGrants.has access(
    user id=user id,
    resource type="knowledge",
    resource id=knowledge.id,
    permission="read",
    user group ids=set(user group ids),
  )
):
  continue
The sibling function query knowledge files also performs the same authorization check before using user-supplied knowledge base IDs.
The underlying method Knowledges.search files by id() receives user id, but it does not enforce authorization for the provided knowledge id. As a result, this builtin tool path can access a knowledge base by ID without verifying the caller's permissions.

PoC

Prerequisites

  • The attacker has a valid authenticated Open WebUI account.
  • The victim owns a private or restricted knowledge base.
  • The attacker does not own the target knowledge base.
  • The attacker does not have read permission for the target knowledge base in AccessGrants.
  • The attacker knows the target knowledge id.
  • The selected model has no attached knowledge bases.
  • Builtin tools are enabled.
  • The knowledge builtin tool category is enabled.
  • Native function calling is enabled.

Reproduction Steps

  1. Create a private or restricted knowledge base as the victim user.
  2. Upload one or more files to that knowledge base.
  3. Confirm that the attacker user does not have access to the knowledge base.
  4. As the attacker user, send a chat completion request with native function calling enabled:
json
{
 "stream": true,
 "model": "gpt-4o-mini",
 "params": {
  "function calling": "native"
 },
 "messages": [
  {
   "role": "user",
   "content": "Please use the search knowledge files tool with knowledge id "c0c84752-2e9d-42bf-bc3c-c0f272aa61c1" to search all files"
  }
 ]
}
Replace c0c84752-2e9d-42bf-bc3c-c0f272aa61c1 with the victim's private knowledge base ID.

Expected Result

The request should be denied because the attacker does not have access to the target knowledge base.

Actual Result

search knowledge files returns metadata for files inside the target knowledge base, including:
  • file ID;
  • filename;
  • knowledge base ID;
  • knowledge base name;
  • update timestamp.

Impact

This is a Broken Object Level Authorization / Broken Access Control vulnerability.
An authenticated attacker who knows a valid knowledge id can enumerate files from private or restricted knowledge bases without authorization.
The leaked metadata may expose sensitive information through filenames, such as:
  • financial reports;
  • employee documents;
  • customer contracts;
  • internal roadmap files;
  • confidential project documents.
The exposed file IDs may also help attackers chain this issue with other knowledge-file access paths, such as view knowledge file, to attempt further content extraction.
This vulnerability bypasses the intended AccessGrants permission model and may also allow post-revocation metadata access if a user remembers a previously accessible knowledge id.

Suggested Fix

Add the same authorization check used in query knowledge files before calling Knowledges.search files by id():
python
if knowledge id:
  knowledge = await Knowledges.get knowledge by id(knowledge id)

  if not knowledge or not (
    user role == "admin"
    or knowledge.user id == user id
    or await AccessGrants.has access(
      user id=user id,
      resource type="knowledge",
      resource id=knowledge.id,
      permission="read",
      user group ids=set(user group ids),
    )
  ):
    return json.dumps({"error": f"Access denied to knowledge base {knowledge id}"})

  result = await Knowledges.search files by id(
    knowledge id=knowledge id,
    user id=user id,
    filter={"query": query},
    skip=skip,
    limit=count,
  )
As defense in depth, authorization should also be enforced or safely wrapped around Knowledges.search files by id() so that future callers cannot accidentally bypass access control.

Correção

Missing Authorization

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-862

Identificadores relacionados

CVE-2026-54016
GHSA-CX9V-4QJ2-JRW6

Produtos afetados

Open-Webui