CVE-2026-44560

Name of the Vulnerable Software and Affected Versions Open WebUI versions prior to 0.9.0

Description The get sources from items() function resolves file and knowledge base references into vector search queries during chat completion. Certain code paths perform vector store queries without authorization checks, allowing users to extract content from files and knowledge bases they are not permitted to access. Specifically, the issue occurs when using type: "file" (non-full-context), type: "text" with collection name, or bare collection name/collection names paths. These paths pass user-supplied collection names directly to query collection(), which queries the vector store without verifying permissions. This can be exploited via the '/api/chat/completions' endpoint by providing a known file ID or knowledge base UUID in the request.

Recommendations Update to version 0.9.0. As a temporary workaround, restrict access to the '/api/chat/completions' endpoint to trusted users only.