CVE-2026-54019: Open WebUI: RAG ACL Bypass in Milvus Multitenancy Mode
This is a bypass of the fix for:
- GHSA-h36f-rqpx-j5wx
- CVE-2026-44560
- “Unauthorized File and Knowledge Base Content Access via RAG Vector Search”
Open WebUI added collection-level ACL checks, but the patch can still be bypassed when Milvus multitenancy mode is enabled. The ACL allows unknown non-KB collection names as legacy/ephemeral collections. In Milvus multitenancy mode, that user-controlled collection name becomes a resource_id and is interpolated into a Milvus expression without escaping.
An authenticated non-admin user can query:
x' or resource_id != '' or resource_id == 'x
This passes the Open WebUI ACL as an unknown collection, but Milvus evaluates:
resource_id == 'x' or resource_id != '' or resource_id == 'x'
That returns private knowledge-base chunks belonging to other users.
References
Code Behaviors & Features
Detect and mitigate CVE-2026-54019 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →