CVE-2026-54019
Undergoing Analysis Undergoing Analysis - In Progress
ACL Bypass in Open WebUI via Milvus Multitenancy

Publication date: 2026-06-23

Last updated on: 2026-06-23

Assigner: GitHub, Inc.

Description
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.6, Open WebUI added collection-level ACL checks, but the patch can still be bypassed when Milvus multitenancy mode is enabled. The ACL allows unknown non-KB collection names as legacy/ephemeral collections. In Milvus multitenancy mode, that user-controlled collection name becomes a resource_id and is interpolated into a Milvus expression without escaping. This is caused by an incomplete fix for CVE-2026-44560 This vulnerability is fixed in 0.9.6.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-23
Last Modified
2026-06-23
Generated
2026-06-24
AI Q&A
2026-06-23
EPSS Evaluated
N/A
NVD
CVE-2026-54019
EUVD
EUVD-2026-38524
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
open_webui open_webui to 0.9.6 (inc)
open_webui open_webui to 0.9.6 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
CWE-943 The product generates a query intended to access or manipulate data in a data store such as a database, but it does not neutralize or incorrectly neutralizes special elements that can modify the intended logic of the query.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-54019 is a vulnerability in Open WebUI versions 0.9.5 and earlier when used with Milvus multitenancy mode enabled. It allows an authenticated low-privilege user to bypass access control lists (ACLs) and read private knowledge-base content belonging to other users without their interaction.

The root cause is that Open WebUI permits unknown collection names as legacy or ephemeral collections, and Milvus multitenancy mode treats these user-controlled collection names as resource IDs without proper validation or escaping. This allows an attacker to craft malicious collection names that bypass ACL checks and get interpolated into Milvus query expressions, resulting in unauthorized data access.

Impact Analysis

This vulnerability can impact you by allowing an authenticated low-privilege user to access private retrieval-augmented generation (RAG) or knowledge-base content belonging to other users without permission.

Such unauthorized access can lead to exposure of sensitive or confidential information stored in private collections, potentially compromising data confidentiality and trust in the system.

Detection Guidance

This vulnerability can be detected by checking if your Open WebUI deployment is running version 0.9.5 or earlier with Milvus multitenancy mode enabled. Specifically, detection involves verifying whether unknown or user-controlled collection names are accepted and used as resource IDs without proper escaping in Milvus query expressions.

One way to detect exploitation attempts is to monitor for suspicious collection names containing special characters or crafted payloads such as "x' or resource_id != '' or resource_id == 'x" which are designed to bypass ACL checks.

While no explicit commands are provided in the resources, you can audit logs or query parameters for collection names with quotes or control characters and test your system by attempting to create or query collections with such names to see if unauthorized data is accessible.

Mitigation Strategies

Immediate mitigation steps include upgrading Open WebUI to version 0.9.6 or later, where this vulnerability is fixed.

Additionally, you should prevent arbitrary unknown collection names in user-controlled RAG query endpoints by rejecting collection names containing quotes or control characters unless they match known internal formats.

Ensure that Milvus expression values are properly escaped or parameterized to avoid injection of malicious queries.

Finally, add regression tests for this payload in your Milvus multitenancy mode environment to verify that the ACL bypass cannot be reproduced.

Compliance Impact

This vulnerability allows an authenticated low-privilege user to bypass access control lists (ACLs) and read private knowledge-base content belonging to other users without requiring victim interaction.

Such unauthorized access to private data can lead to violations of data protection regulations and standards like GDPR and HIPAA, which mandate strict controls on access to personal and sensitive information.

Therefore, if exploited in a production environment using Milvus multitenancy mode, this vulnerability could compromise compliance by exposing private user data to unauthorized parties.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-54019. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart