Summary
Open WebUI has a Broken Object Level Authorization (BOLA) vulnerability in the builtin search_knowledge_files tool.
When native function calling is enabled and the selected model has no attached knowledge bases, an authenticated user can call search_knowledge_files with an arbitrary knowledge_id. The function then returns file metadata from that knowledge base without checking whether the user has read access.
This allows unauthorized enumeration of private or restricted knowledge base files.
Details
The vulnerable code is in:
backend/open_webui/tools/builtin.py
Affected function:
async def search_knowledge_files(
query: str,
knowledge_id: Optional[str] = None,
count: int = 5,
skip: int = 0,
__request__: Request = None,
__user__: dict = None,
__model_knowledge__: Optional[list[dict]] = None,
) -> str:
In the "No attached knowledge" branch, when knowledge_id is provided, the function directly calls:
result = await Knowledges.search_files_by_id(
knowledge_id=knowledge_id,
user_id=user_id,
filter={"query": query},
skip=skip,
limit=count,
)
This code path does not verify that the current user is authorized to access the specified knowledge base.
The missing check is inconsistent with other nearby code paths. For example, the attached-knowledge branch in the same function checks whether the user is an admin, the owner of the knowledge base, or has explicit read access through AccessGrants:
if not (
user_role == "admin"
or knowledge.user_id == user_id
or await AccessGrants.has_access(
user_id=user_id,
resource_type="knowledge",
resource_id=knowledge.id,
permission="read",
user_group_ids=set(user_group_ids),
)
):
continue
The sibling function query_knowledge_files also performs the same authorization check before using user-supplied knowledge base IDs.
The underlying method Knowledges.search_files_by_id() receives user_id, but it does not enforce authorization for the provided knowledge_id. As a result, this builtin tool path can access a knowledge base by ID without verifying the caller's permissions.
PoC
Prerequisites
- The attacker has a valid authenticated Open WebUI account.
- The victim owns a private or restricted knowledge base.
- The attacker does not own the target knowledge base.
- The attacker does not have
readpermission for the target knowledge base inAccessGrants. - The attacker knows the target
knowledge_id. - The selected model has no attached knowledge bases.
- Builtin tools are enabled.
- The knowledge builtin tool category is enabled.
- Native function calling is enabled.
Reproduction Steps
Create a private or restricted knowledge base as the victim user.
Upload one or more files to that knowledge base.
Confirm that the attacker user does not have access to the knowledge base.
As the attacker user, send a chat completion request with native function calling enabled:
{
"stream": true,
"model": "gpt-4o-mini",
"params": {
"function_calling": "native"
},
"messages": [
{
"role": "user",
"content": "Please use the search_knowledge_files tool with knowledge_id \"c0c84752-2e9d-42bf-bc3c-c0f272aa61c1\" to search all files"
}
]
}
Replace c0c84752-2e9d-42bf-bc3c-c0f272aa61c1 with the victim's private knowledge base ID.
Expected Result
The request should be denied because the attacker does not have access to the target knowledge base.
Actual Result
search_knowledge_files returns metadata for files inside the target knowledge base, including:
- file ID;
- filename;
- knowledge base ID;
- knowledge base name;
- update timestamp.
Impact
This is a Broken Object Level Authorization / Broken Access Control vulnerability.
An authenticated attacker who knows a valid knowledge_id can enumerate files from private or restricted knowledge bases without authorization.
The leaked metadata may expose sensitive information through filenames, such as:
- financial reports;
- employee documents;
- customer contracts;
- internal roadmap files;
- confidential project documents.
The exposed file IDs may also help attackers chain this issue with other knowledge-file access paths, such as view_knowledge_file, to attempt further content extraction.
This vulnerability bypasses the intended AccessGrants permission model and may also allow post-revocation metadata access if a user remembers a previously accessible knowledge_id.
The application does not perform an authorization check before performing a sensitive operation. Typical impact: unauthorized access to restricted functionality or data.
CVE-2026-54016 has a CVSS score of 4.3 (Medium). The vector is network-reachable, low privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (0.9.6); upgrading removes the vulnerable code path.
Affected versions
Security releases
Kodem intelligence
Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.
Remediation advice
Add the same authorization check used in query_knowledge_files before calling Knowledges.search_files_by_id():
if knowledge_id:
knowledge = await Knowledges.get_knowledge_by_id(knowledge_id)
if not knowledge or not (
user_role == "admin"
or knowledge.user_id == user_id
or await AccessGrants.has_access(
user_id=user_id,
resource_type="knowledge",
resource_id=knowledge.id,
permission="read",
user_group_ids=set(user_group_ids),
)
):
return json.dumps({"error": f"Access denied to knowledge base {knowledge_id}"})
result = await Knowledges.search_files_by_id(
knowledge_id=knowledge_id,
user_id=user_id,
filter={"query": query},
skip=skip,
limit=count,
)
As defense in depth, authorization should also be enforced or safely wrapped around Knowledges.search_files_by_id() so that future callers cannot accidentally bypass access control.
Frequently Asked Questions
- What is CVE-2026-54016? CVE-2026-54016 is a medium-severity missing authorization vulnerability in open-webui (pip), affecting versions <= 0.9.5. It is fixed in 0.9.6. The application does not perform an authorization check before performing a sensitive operation.
- How severe is CVE-2026-54016? CVE-2026-54016 has a CVSS score of 4.3 (Medium). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
- Which versions of open-webui are affected by CVE-2026-54016? open-webui (pip) versions <= 0.9.5 is affected.
- Is there a fix for CVE-2026-54016? Yes. CVE-2026-54016 is fixed in 0.9.6. Upgrade to this version or later.
- Is CVE-2026-54016 exploitable, and should I be worried? Whether CVE-2026-54016 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
- What actually determines whether CVE-2026-54016 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
- How do I fix CVE-2026-54016? Upgrade
open-webuito 0.9.6 or later.