Open WebUI Knowledge Base Overwrite Vulnerability Allowing Unauthorized Data Manipulation

A vulnerability in Open WebUI versions prior to 0.9.0 allows for unauthorized overwriting of user-specific knowledge base collections. The issue arises in the POST /api/v1/retrieval/process/web endpoint, which accepts a collection_name and an overwrite query parameter. The endpoint lacks proper authorization checks to verify if the user has ownership or write access to the specified collection. When overwrite is set to true, the vulnerability enables deletion of the original collection before new content is added, potentially leading to knowledge base destruction and manipulation.

Impact

Exploitation of this vulnerability permanently deletes the original knowledge base embeddings from the vector store, replacing them with attacker-controlled content. This not only poisons the knowledge base, causing the language model to return misleading or harmful responses, but also allows for indirect prompt injection, where crafted prompts can manipulate the language model's behavior. The effects persist until the knowledge base is rebuilt from source files.

Reproduction

To reproduce this vulnerability, an authenticated user must send a POST request to the /api/v1/retrieval/process/web endpoint with an overwritten collection name. The request should include a URL from which to fetch content, which will be embedded and saved to the specified collection after the original content is deleted. This can be done using knowledge base UUIDs obtained through enumeration.

Remediation

Users can update to Open WebUI version 0.9.0 or later, where this vulnerability has been fixed.