Open WebUI Unauthorized Access to File and Knowledge Base Content Vulnerability

A vulnerability in Open WebUI versions through 0.8.12 allows unauthorized access to file and knowledge base content via vector store queries. The issue arises in the 'get_sources_from_items' function, where certain query types bypass authorization checks, enabling users to access restricted information. This vulnerability affects the RAG source resolution in the chat completion pipeline.

Impact

Exploitation of this vulnerability allows users to access and extract content from private files and knowledge bases without authorization, undermining the application's access control model. Once a file or knowledge base has been processed into the vector store, the content can be extracted indefinitely, even after access has been revoked.

Reproduction

To reproduce this vulnerability, upload a private document or knowledge base into the Open WebUI platform. Once embedded into the vector store, share a chat or model referencing the file with another user. After revoking access to the file for that user, send a chat completion request referencing the revoked file ID. The default non-full-context path will query the vector store without an access check, injecting the private file content into the LLM context and allowing the extraction of sensitive information.

Remediation

Users can update to Open WebUI version 0.9.0 or later, where this vulnerability has been fixed.