CVE-2026-45397

Name of the Vulnerable Software and Affected Versions Open WebUI versions prior to 0.9.5

Description An information disclosure issue exists where the 'GET /api/v1/retrieval/' endpoint returns live RAG (Retrieval-Augmented Generation) pipeline configuration to any unauthenticated HTTP client. No Authorization header, cookie, or API key is required to access this data. The issue is located in the get status() function within the backend/open webui/routers/retrieval.py component. This allows an attacker to obtain sensitive infrastructure details, including the RAG EMBEDDING ENGINE, RAG EMBEDDING MODEL, RAG RERANKING MODEL, RAG TEMPLATE, CHUNK SIZE, and CHUNK OVERLAP.

Recommendations Update to version 0.9.5.