Open WebUI Knowledge Base Enumeration Vulnerability

A vulnerability in Open WebUI versions prior to 0.9.0 allows authenticated users to enumerate knowledge bases across all users via the system-level 'knowledge-bases' meta-collection. The issue arises because the '_validate_collection_access' function implements an incomplete allowlist, only enforcing ownership checks for collections that match 'user-memory-*' and 'file-*' patterns. As a result, all other collection names, including the 'knowledge-bases' meta-collection, are not properly validated. This vulnerability enables the extraction of a global index of knowledge bases, including their UUIDs, names, and descriptions, which can be exploited in conjunction with other vulnerabilities to manipulate or access knowledge base content.

Impact

This vulnerability discloses metadata of knowledge bases, such as IDs, names, and descriptions, across all users. Additionally, it serves as a gateway for other attacks by providing the necessary UUIDs for targeting specific knowledge bases. Exploiting this vulnerability transforms the process of identifying knowledge bases from a guessing game into a straightforward enumeration task.

Reproduction

To reproduce this vulnerability, an authenticated user can send a POST request to the '/api/v1/retrieval/query/doc' endpoint with the collection name set to 'knowledge-bases'. The request will bypass the collection access validation, allowing the user to retrieve a list of all knowledge bases on the instance, including their UUIDs, names, and descriptions. This enumeration can be repeated with different query variations to extract additional knowledge base records.

Remediation

Users are advised to update Open WebUI to version 0.9.0 or later, where this vulnerability has been fixed.