CVE-2026-54019

MEDIUM

Open WebUI: RAG ACL Bypass in Milvus Multitenancy Mode

Title source: cna
STIX 2.1

Description

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.6, Open WebUI added collection-level ACL checks, but the patch can still be bypassed when Milvus multitenancy mode is enabled. The ACL allows unknown non-KB collection names as legacy/ephemeral collections. In Milvus multitenancy mode, that user-controlled collection name becomes a resource_id and is interpolated into a Milvus expression without escaping. This is caused by an incomplete fix for CVE-2026-44560 This vulnerability is fixed in 0.9.6.

References (1)

Core 1
Core References

Scores

CVSS v3 6.5
EPSS 0.0028
EPSS Percentile 19.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact partial

Details

CWE
CWE-862 CWE-943
Status published
Products (2)
open-webui/open-webui < 0.9.6
openwebui/open_webui < 0.9.6
Published Jun 23, 2026
Tracked Since Jun 23, 2026