GHSA-65pg-qhhw-mxwg

Vulnerability Type: Information Disclosure / Missing Authentication
Severity: Medium
Component: backend/open_webui/routers/retrieval.py — get_status() (GET /)
Affected Endpoint: GET /api/v1/retrieval/
Affected Version: Open WebUI main branch — confirmed unpatched through v0.9.2
Authentication Required: None — internet-facing with zero credentials
CVSSv3.1 Score: 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

Summary

GET /api/v1/retrieval/ returns live RAG pipeline configuration to any unauthenticated HTTP client. No Authorization header, cookie, or API key is required. Every adjacent endpoint on the same router (/embedding, /config) is correctly guarded by get_admin_user making this a targeted omission.

Root Cause

backend/open_webui/routers/retrieval.py:262

@router.get('/')
async def get_status(request: Request):   # ← no Depends(get_verified_user)
    return {
        'status': True,
        'CHUNK_SIZE': request.app.state.config.CHUNK_SIZE,
        'CHUNK_OVERLAP': request.app.state.config.CHUNK_OVERLAP,
        'RAG_TEMPLATE': request.app.state.config.RAG_TEMPLATE,
        'RAG_EMBEDDING_ENGINE': request.app.state.config.RAG_EMBEDDING_ENGINE,
        'RAG_EMBEDDING_MODEL': request.app.state.config.RAG_EMBEDDING_MODEL,
        'RAG_RERANKING_MODEL': request.app.state.config.RAG_RERANKING_MODEL,
        'RAG_EMBEDDING_BATCH_SIZE': request.app.state.config.RAG_EMBEDDING_BATCH_SIZE,
        'ENABLE_ASYNC_EMBEDDING': request.app.state.config.ENABLE_ASYNC_EMBEDDING,
        'RAG_EMBEDDING_CONCURRENT_REQUESTS': request.app.state.config.RAG_EMBEDDING_CONCURRENT_REQUESTS,
    }

Compare with every adjacent endpoint on the same router:

@router.get('/embedding')
async def get_embedding_config(request: Request, user=Depends(get_admin_user)):  # ✅

@router.get('/config')
async def get_rag_config(request: Request, user=Depends(get_admin_user)):        # ✅

Proof Of Concept — No Token Required

curl -s http://TARGET/api/v1/retrieval/

{
  "status": true,
  "CHUNK_SIZE": 1000,
  "CHUNK_OVERLAP": 100,
  "RAG_TEMPLATE": "### Task:\nRespond to the user query using the provided context...\n<context>\n{{CONTEXT}}\n</context>",
  "RAG_EMBEDDING_ENGINE": "",
  "RAG_EMBEDDING_MODEL": "sentence-transformers/all-MiniLM-L6-v2",
  "RAG_RERANKING_MODEL": "",
  "RAG_EMBEDDING_BATCH_SIZE": 1,
  "ENABLE_ASYNC_EMBEDDING": true,
  "RAG_EMBEDDING_CONCURRENT_REQUESTS": 0
}

Disclosed Information and Its Value to an Attacker

| Field | What it reveals | |---|---| | RAG_EMBEDDING_ENGINE | Backend type (OpenAI, Ollama, Azure, etc.) | | RAG_EMBEDDING_MODEL | Exact model name — reveals embedding model | | RAG_RERANKING_MODEL | Reranker in use — reveals reranker | | RAG_TEMPLATE | RAG template — exposes the RAG template | | CHUNK_SIZE / CHUNK_OVERLAP | Chunking parameters — enables exact reconstruction of how documents are split and retrieved |

Attack Scenario

1. Attacker sends one unauthenticated HTTP GET to /api/v1/retrieval/.
2. Response reveals the embedding model and chunking parameters.
3. Attacker uses the exact chunk size/overlap to craft RAG poisoning payloads that are guaranteed to be retrieved.

Impact

1. RAG template disclosure
2. Infrastructure fingerprinting — embedding engine and model name reveal the AI stack to an internet scanner
3. RAG attack surface mapping — chunk parameters enable precise calculation of retrieval boundaries
4. Zero-effort recon — no brute force, no credentials, no rate-limit concern. Single request from any IP.

Recommended Fix

Add get_verified_user dependency (or get_admin_user for stricter control):

# BEFORE (vulnerable)
@router.get('/')
async def get_status(request: Request):


# AFTER
@router.get('/')
async def get_status(request: Request, user=Depends(get_verified_user)):