Retrieval web/YouTube processing endpoints:
- backend/open_webui/routers/retrieval.py (lines 1810-1837, process_web)
- backend/open_webui/routers/retrieval.py (the parallel process_youtube endpoint)
- backend/open_webui/routers/retrieval.py (line 1445, save_docs_to_vector_db call chain)
Current main branch (commit 6fdd19bf1) and likely all versions with RAG/knowledge base functionality.
The POST /api/v1/retrieval/process/web endpoint accepts a user-supplied collection_name and an overwrite query parameter (default: True). It performs no authorization check on whether the calling user owns or has write access to the target collection. When overwrite=True, save_docs_to_vector_db calls VECTOR_DB_CLIENT.delete_collection() on the target collection before writing new content.
Combined with the knowledge base enumeration vulnerability (separate report), an attacker can trivially discover any user's knowledge base UUID and then destroy or poison it.
# retrieval.py:1810-1837 — no collection authorization check
@router.post('/process/web')
async def process_web(
request: Request,
form_data: ProcessUrlForm,
user=Depends(get_verified_user),
...
):
# ... fetch and process the URL ...
save_docs_to_vector_db(
request=request,
docs=docs,
collection_name=form_data.collection_name, # attacker-controlled, unchecked
overwrite=overwrite, # defaults to True
...
)
| Metric | Value | Rationale | |--------|-------|-----------| | Attack Vector | Network (N) | Exploited remotely via API call | | Attack Complexity | Low (L) | Single API call with a known KB UUID | | Privileges Required | Low (L) | Requires any authenticated user account | | User Interaction | None (N) | No victim interaction required | | Scope | Unchanged (U) | Impact within the knowledge base authorization boundary | | Confidentiality | None (N) | No data disclosure from this vulnerability directly | | Integrity | High (H) | Complete replacement of victim's KB content with attacker-controlled data | | Availability | High (H) | Victim's original KB embeddings are deleted; KB effectively destroyed |
knowledge-bases meta-collection (separate finding) or other enumeration.POST /api/v1/retrieval/process/web?overwrite=true
{
"url": "https://attacker.com/poison",
"collection_name": "<victim_kb_uuid>"
}
save_docs_to_vector_db deletes the entire vector collection belonging to the victim's knowledge base.knowledge-bases enumeration finding