Open WebUI Vulnerable to Unauthenticated RAG Configuration Disclosure
Vulnerability Type: Information Disclosure / Missing Authentication
Severity: Medium
Component: backend/open_webui/routers/retrieval.py — get_status() (GET /)
Affected Endpoint: GET /api/v1/retrieval/
Affected Version: Open WebUI main branch — confirmed unpatched through v0.9.2
Authentication Required: None — internet-facing with zero credentials
CVSSv3.1 Score: 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
Summary
GET /api/v1/retrieval/ returns live RAG pipeline configuration to any unauthenticated HTTP client. No Authorization header, cookie, or API key is required. Every adjacent endpoint on the same router (/embedding, /config) is correctly guarded by get_admin_user making this a targeted omission.
Root Cause
backend/open_webui/routers/retrieval.py:262
@router.get('/')
async def get_status(request: Request): # ← no Depends(get_verified_user)
return {
'status': True,
'CHUNK_SIZE': request.app.state.config.CHUNK_SIZE,
'CHUNK_OVERLAP': request.app.state.config.CHUNK_OVERLAP,
'RAG_TEMPLATE': request.app.state.config.RAG_TEMPLATE,
'RAG_EMBEDDING_ENGINE': request.app.state.config.RAG_EMBEDDING_ENGINE,
'RAG_EMBEDDING_MODEL': request.app.state.config.RAG_EMBEDDING_MODEL,
'RAG_RERANKING_MODEL': request.app.state.config.RAG_RERANKING_MODEL,
'RAG_EMBEDDING_BATCH_SIZE': request.app.state.config.RAG_EMBEDDING_BATCH_SIZE,
'ENABLE_ASYNC_EMBEDDING': request.app.state.config.ENABLE_ASYNC_EMBEDDING,
'RAG_EMBEDDING_CONCURRENT_REQUESTS': request.app.state.config.RAG_EMBEDDING_CONCURRENT_REQUESTS,
}
Compare with every adjacent endpoint on the same router:
@router.get('/embedding')
async def get_embedding_config(request: Request, user=Depends(get_admin_user)): # ✅
@router.get('/config')
async def get_rag_config(request: Request, user=Depends(get_admin_user)): # ✅
Proof Of Concept — No Token Required
curl -s http://TARGET/api/v1/retrieval/
{
"status": true,
"CHUNK_SIZE": 1000,
"CHUNK_OVERLAP": 100,
"RAG_TEMPLATE": "### Task:\nRespond to the user query using the provided context...\n\n{{CONTEXT}}\n",
"RAG_EMBEDDING_ENGINE": "",
"RAG_EMBEDDING_MODEL": "sentence-transformers/all-MiniLM-L6-v2",
"RAG_RERANKING_MODEL": "",
"RAG_EMBEDDING_BATCH_SIZE": 1,
"ENABLE_ASYNC_EMBEDDING": true,
"RAG_EMBEDDING_CONCURRENT_REQUESTS": 0
}
Disclosed Information and Its Value to an Attacker
| Field | What it reveals |
|---|---|
RAG_EMBEDDING_ENGINE |
Backend type (OpenAI, Ollama, Azure, etc.) |
RAG_EMBEDDING_MODEL |
Exact model name — reveals embedding model |
RAG_RERANKING_MODEL |
Reranker in use — reveals reranker |
RAG_TEMPLATE |
RAG template — exposes the RAG template |
CHUNK_SIZE / CHUNK_OVERLAP |
Chunking parameters — enables exact reconstruction of how documents are split and retrieved |
Attack Scenario
- Attacker sends one unauthenticated HTTP GET to
/api/v1/retrieval/. - Response reveals the embedding model and chunking parameters.
- Attacker uses the exact chunk size/overlap to craft RAG poisoning payloads that are guaranteed to be retrieved.
Impact
- RAG template disclosure
- Infrastructure fingerprinting — embedding engine and model name reveal the AI stack to an internet scanner
- RAG attack surface mapping — chunk parameters enable precise calculation of retrieval boundaries
- Zero-effort recon — no brute force, no credentials, no rate-limit concern. Single request from any IP.
Recommended Fix
Add get_verified_user dependency (or get_admin_user for stricter control):
# BEFORE (vulnerable)
@router.get('/')
async def get_status(request: Request):
# AFTER
@router.get('/')
async def get_status(request: Request, user=Depends(get_verified_user)):