[GH-ISSUE #17669] feat: Hide knowledge bases which are private from users even if they are using a model which has had the knowledge base shared with it #33888

New Issue

Closed

opened 2026-04-25 07:46:07 -05:00 by GiteaMirror · 9 comments

GiteaMirror commented 2026-04-25 07:46:07 -05:00

Owner

Copy Link

Originally created by @b4ux1t3 on GitHub (Sep 23, 2025).
Original GitHub issue: https://github.com/open-webui/open-webui/issues/17669

Check Existing Issues

• I have searched the existing issues and discussions.

Problem Description

Simply allowing a model access to a knowledge base in the admin settings makes any and all knowledge bases shared with that model available to users who should not have visibility of that knowledge.

Desired Solution you'd like

I'd prefer if users talking to a model could only access resources they're actually allowed access to. When processing chats from users with no access to knowledge that the model has been given access to, simply don't use it for querying/searching.

Alternatives Considered

No response

Additional Context

No response

Originally created by @b4ux1t3 on GitHub (Sep 23, 2025). Original GitHub issue: https://github.com/open-webui/open-webui/issues/17669 ### Check Existing Issues - [x] I have searched the existing issues and discussions. ### Problem Description Simply allowing a model access to a knowledge base in the admin settings makes any and all knowledge bases shared with that model available to users who should not have visibility of that knowledge. ### Desired Solution you'd like I'd prefer if users talking to a model could only access resources they're actually allowed access to. When processing chats from users with no access to knowledge that the model has been given access to, simply don't use it for querying/searching. ### Alternatives Considered _No response_ ### Additional Context _No response_

GiteaMirror closed this issue 2026-04-25 07:46:07 -05:00

GiteaMirror commented 2026-04-25 07:46:08 -05:00

Author

Owner

Copy Link

@silentoplayz commented on GitHub (Oct 23, 2025):

Thank you for the report. At the moment the ticket does not contain enough detail for us to determine whether this is a permissions bug, an enhancement request, or both, BUT I believe I have confirmed this issue on the latest commit of the dev branch at the time of typing out this comment. I would very much appreciate your confirmation as to whether this is similar to how you were able to reproduce the issue.

Test plan – 5-minute sanity check that proves the bug exists

0. Preconditions
   • You need two accounts:
   – Admin (can attach KBs to models)
   – User (must not have read access to at least one KB)
   • Create / pick two knowledge bases:
   – KB-public : visible to everyone (Public)
   – KB-private : visible only to Admin (Private)
   • Pick any model (base or workspace) that Restricted-user is allowed to chat with.

1. Attach both KBs to the model

• Admin Panel → Settings → Models → Edit Pencil icon for a model → Attach KB-public and KB-private knowledge-bases to model → Save & Update.

2. Verify Restricted-user really has no direct access

• Log in as Restricted-user → navigate to New Chat page → Type # in the text input field → You should not see KB-Private knowledge collection or any files contained in that collection.

Verify you only see KB-Public knowledge collection and its files.

3. Open a chat with the model as Restricted-user

• Ask a question whose answer lives only in KB-private (something like “What is the secret sauce recipe?”).

4. Observe that the model answers with the private content as a source → bug confirmed (user obtained data they cannot directly read).

5. Repeat once with the KB-private detached to be sure the model really was pulling from it in step 4.

• It was. Now it isn't.

TL;DR: When a knowledge base is attached to a model, all users who can chat with that model receive answers drawn from the KB—even if their own account lacks read permission on that KB. In short, model-level attachment currently overrides user-level KB access control lists. The model disclosed a private file to a user without access/visibility to the knowledge; the file is stored in a knowledge base that belongs only to the superadmin who created it as a private knowledgebase.

The provided screenshots alone speaks for itself and are a product of the test results:

From my Superadmin account, I created two knowledge-bases. One made Public, the other Private.

I then attached both knowledge-bases to a model (tested with both a base model and a custom Workspace model created from a base model; either works to reproduce this issue).

Moving over to the user account, typing # reveals that I can only attach the Public knowledge-base collection and/or file to the chat input field, but asking a question about something only in the Private knowledge-base collection and/or file revealed exactly what it shouldn't have!

I SHOULD NOT BE ABLE TO SEE THE CONTENTS OF THIS FILE AT ALL AS A USER WITHOUT PERMISSION TO THE KNOWLEDGE-BASE!

If I click on the underlined text file name from the user account that shouldn't have access to the private file, it indeed doesn't get to see the contents of the file, but the model still tells the user about the file and reveals the contents in the source/annotation modal.

Edit: If I toggle the switch for Use Full Document for the Private knowledgebase, then the user does not have access to it! The user has access to it without this switched on.

<!-- gh-comment-id:3439319931 --> @silentoplayz commented on GitHub (Oct 23, 2025): Thank you for the report. At the moment the ticket does not contain enough detail for us to determine whether this is a permissions bug, an enhancement request, or both, **BUT** I believe I have confirmed this issue on the latest commit of the `dev` branch at the time of typing out this comment. I would very much appreciate your confirmation as to whether this is similar to how you were able to reproduce the issue. ## Test plan – 5-minute sanity check that proves the bug exists 0. Preconditions • You need two accounts: – Admin (can attach KBs to models) – User (must **not** have read access to at least one KB) • Create / pick two knowledge bases: – KB-public : visible to everyone (Public) – KB-private : visible **only** to Admin (Private) • Pick any model (base or workspace) that Restricted-user is allowed to chat with. 1. Attach both KBs to the model - Admin Panel → Settings → Models → Edit Pencil icon for a model → Attach `KB-public` and `KB-private` knowledge-bases to model → Save & Update. 2. Verify Restricted-user really has **no** direct access - Log in as Restricted-user → navigate to `New Chat` page → Type `#` in the text input field → You should not see `KB-Private` knowledge collection or any files contained in that collection. Verify you only see `KB-Public` knowledge collection and its files. 3. Open a chat with the model as Restricted-user - Ask a question whose answer lives **only** in KB-private (something like “What is the secret sauce recipe?”). 4. Observe that the model answers with the private content as a source → **bug confirmed** (user obtained data they cannot directly read). 5. Repeat once with the KB-private **detached** to be sure the model really was pulling from it in step 4. - It was. Now it isn't. ## TL;DR: When a knowledge base is attached to a model, **all users who can chat with that model receive answers drawn from the KB—even if their own account lacks read permission on that KB**. In short, model-level attachment currently overrides user-level KB access control lists. The model disclosed a private file to a **user without access/visibility to the knowledge**; the file is stored in a knowledge base that belongs only to the superadmin who created it as a private knowledgebase. The provided screenshots alone speaks for itself and are a product of the test results: ### From my Superadmin account, I created two knowledge-bases. One made `Public`, the other `Private`. <img width="2308" height="1281" alt="Image" src="https://github.com/user-attachments/assets/e83aecee-27fb-40e3-a8ad-0c4251a99402" /> <img width="2308" height="1281" alt="Image" src="https://github.com/user-attachments/assets/11d22e8a-cbb5-4172-964e-9a9a9e3f34f5" /> ### I then attached both knowledge-bases to a model (tested with both a base model and a custom `Workspace` model created from a base model; either works to reproduce this issue). <img width="2307" height="1282" alt="Image" src="https://github.com/user-attachments/assets/1f1957fa-68a2-4c3d-9d3f-7a4d1c7d0218" /> ### Moving over to the user account, typing `#` reveals that I can only attach the **Public** knowledge-base collection and/or file to the chat input field, but asking a question about something only in the **Private** knowledge-base collection and/or file revealed exactly what it shouldn't have! <img width="2308" height="1281" alt="Image" src="https://github.com/user-attachments/assets/481954db-4789-42e6-990b-22e84a61e0cd" /> ### I SHOULD NOT BE ABLE TO SEE THE CONTENTS OF THIS FILE AT ALL AS A USER WITHOUT PERMISSION TO THE KNOWLEDGE-BASE! <img width="2307" height="1282" alt="Image" src="https://github.com/user-attachments/assets/3605b119-2ab7-42c7-a67e-bc54cca72e73" /> ### If I click on the underlined text file name from the user account that shouldn't have access to the private file, it indeed doesn't get to see the contents of the file, but the model still tells the user about the file and reveals the contents in the source/annotation modal. <img width="2307" height="1282" alt="Image" src="https://github.com/user-attachments/assets/0f8f0feb-8633-4c93-95e0-9a9f5aaa6e46" /> <img width="426" height="110" alt="Image" src="https://github.com/user-attachments/assets/756357e0-3990-4f0d-878a-209663503b7f" /> ### Edit: If I toggle the switch for `Use Full Document` for the `Private` knowledgebase, then the user does not have access to it! The user has access to it without this switched on. <img width="2297" height="1277" alt="Image" src="https://github.com/user-attachments/assets/6e44d6fb-d179-4281-b16f-d28947bd136f" />

GiteaMirror commented 2026-04-25 07:46:09 -05:00

Author

Owner

Copy Link

@b4ux1t3 commented on GitHub (Oct 31, 2025):

Just wanted to let you know I saw your response and have put "Read this and verify" to my todo list for today/early next week, sorry for the slow response!

<!-- gh-comment-id:3473448502 --> @b4ux1t3 commented on GitHub (Oct 31, 2025): Just wanted to let you know I saw your response and have put "Read this and verify" to my todo list for today/early next week, sorry for the slow response!

GiteaMirror commented 2026-04-25 07:46:09 -05:00

Author

Owner

Copy Link

@apunkt commented on GitHub (Dec 16, 2025):

I see exactly the desired behaviour in v0.6.41

I (Admin) have a private knowledge base, which I attach to a public model.
Anyone using the public model - cannot see the knowledge base nor add via #
The knowledge base is not used when any user is using this model, but is used when I use this model. (you can see in the logs search is not performed for any user - even though the frontend briefly (and wrongly) shows that is performing search)

However, in previous versions the behaviour was different!
When an admin attached a private knowledge base to a model, anyone using this model was not able to see or access the knowledge base, but the model they had access to still had access to the knowledge base, so any user could leverage knowledge from the model response without exposing it to the user.
Which, I believe is the correct behaviour, because as an admin I might want to decide to grant a model access to knowledge (but not the user, so keeping it private) and granting users access to the model that uses the knowledge.

How would I config this in v0.6.41 ?
Because this is what I want (back).

Thanks

<!-- gh-comment-id:3661900445 --> @apunkt commented on GitHub (Dec 16, 2025): I see exactly the desired behaviour in v0.6.41 I (Admin) have a private knowledge base, which I attach to a public model. Anyone using the public model - cannot see the knowledge base nor add via # The knowledge base is not used when any user is using this model, but is used when I use this model. (you can see in the logs search is not performed for any user - even though the frontend briefly (and wrongly) shows that is performing search) However, in previous versions the behaviour was different! When an admin attached a private knowledge base to a model, anyone using this model was not able to see or access the knowledge base, but the model they had access to still had access to the knowledge base, so any user could leverage knowledge from the model response without exposing it to the user. Which, I believe is the correct behaviour, because as an admin I might want to decide to grant a model access to knowledge (but not the user, so keeping it private) and granting users access to the model that uses the knowledge. How would I config this in v0.6.41 ? Because this is what I want (back). Thanks

GiteaMirror commented 2026-04-25 07:46:09 -05:00

Author

Owner

Copy Link

@Classic298 commented on GitHub (Dec 16, 2025):

Just set the knowledgebase to public?

<!-- gh-comment-id:3661916645 --> @Classic298 commented on GitHub (Dec 16, 2025): Just set the knowledgebase to public?

GiteaMirror commented 2026-04-25 07:46:10 -05:00

Author

Owner

Copy Link

@Classic298 commented on GitHub (Dec 16, 2025):

Thanks @apunkt for confirming this fixed. Closing.

<!-- gh-comment-id:3661919400 --> @Classic298 commented on GitHub (Dec 16, 2025): Thanks @apunkt for confirming this fixed. Closing.

GiteaMirror commented 2026-04-25 07:46:10 -05:00

Author

Owner

Copy Link

@apunkt commented on GitHub (Dec 16, 2025):

Just set the knowledgebase to public?

I want a public model have access to a private knowledge base using it to formulate responses for public users
AND public users NOT to see the private knowledge base.

This was working (intentionally or unintentionally) in previous versions, but now isn't anymore.

Now the UI says "searching knowledge base" but it silently fails, nothing in the logs, no search hits the vector store (qdrant).
I suppose because the knowledge base is private and user has no access to it.

But I believe it is a feature to only grant a model access to a private knowledge base and make this model publicly available.

<!-- gh-comment-id:3661937113 --> @apunkt commented on GitHub (Dec 16, 2025): > Just set the knowledgebase to public? I want a public model have access to a private knowledge base using it to formulate responses for public users AND public users NOT to see the private knowledge base. This _was_ working (intentionally or unintentionally) in previous versions, but now isn't anymore. Now the UI says "searching knowledge base" but it silently fails, nothing in the logs, no search hits the vector store (qdrant). I suppose because the knowledge base is private and user has no access to it. But I believe it is a feature to only grant a model access to a private knowledge base and make this model publicly available.

GiteaMirror commented 2026-04-25 07:46:11 -05:00

Author

Owner

Copy Link

@Classic298 commented on GitHub (Dec 16, 2025):

Can you please expand on why a public knowledgebase is not an option here yet you want the information to be publicly accessible? Maybe this can help with finding an alternative solution.

<!-- gh-comment-id:3661941851 --> @Classic298 commented on GitHub (Dec 16, 2025): Can you please expand on why a public knowledgebase is not an option here yet you want the information to be publicly accessible? Maybe this can help with finding an alternative solution.

GiteaMirror commented 2026-04-25 07:46:11 -05:00

Author

Owner

Copy Link

@apunkt commented on GitHub (Dec 16, 2025):

In my use case the knowledge base contains propietary information.
The way I chunked the information and prompted the model will not expose this propietary information, but rather share the "method" of the propietary information, which itself is not propietary.

The model then answers how you can do something (approach) rather than how it has been done (i.e. in code), this keeping propietary information private but sharing allowed methods so users can come up with own ideas.

<!-- gh-comment-id:3661971615 --> @apunkt commented on GitHub (Dec 16, 2025): In my use case the knowledge base contains propietary information. The way I chunked the information and prompted the model will not expose this propietary information, but rather share the "method" of the propietary information, which itself is not propietary. The model then answers how you can do something (approach) rather than how it has been done (i.e. in code), this keeping propietary information private but sharing allowed methods so users can come up with own ideas.

GiteaMirror commented 2026-04-25 07:46:11 -05:00

Author

Owner

Copy Link

@Classic298 commented on GitHub (Dec 16, 2025):

@apunkt As a security engineer I want to urgently tell you that no prompt is good enough to prevent attacks against LLMs.

Any information given to an LLM (e.g. via a knowledge base) CAN (and eventually WILL) be extracted by users managing to jailbreak the model to ignoring it's system prompt and just throwing out the information.

Even models by the largest companies, i.e. Anthropic and Google, get jailbroken regularly despite their very noble red teaming efforts. It's just the nature of these models. It's not classic software that adheres to fixed rules - it's non deterministic.

Furthermore: in Open WebUI, users can just click on the sources the model cited (i.e. the knowledgebase that is referenced) and when clicking on the source, you will see the source's content in the source citation popup.

e.g.:

What I could recommend to you in your case could be to build a function, give that function to the model and have the model query information from a knowledge base (RAG) via the function - through that you could bypass the access control of open webui.

<!-- gh-comment-id:3661990757 --> @Classic298 commented on GitHub (Dec 16, 2025): @apunkt As a security engineer I want to urgently tell you that no prompt is good enough to prevent attacks against LLMs. Any information given to an LLM (e.g. via a knowledge base) CAN (and eventually WILL) be extracted by users managing to jailbreak the model to ignoring it's system prompt and just throwing out the information. Even models by the largest companies, i.e. Anthropic and Google, get jailbroken regularly despite their very noble red teaming efforts. It's just the nature of these models. It's not classic software that adheres to fixed rules - it's non deterministic. Furthermore: in Open WebUI, users can just click on the sources the model cited (i.e. the knowledgebase that is referenced) and when clicking on the source, you will see the source's content in the source citation popup. e.g.: <img width="542" height="104" alt="Image" src="https://github.com/user-attachments/assets/ffd9e549-3e1e-4567-9f1b-3384b2f530cc" /> <img width="913" height="416" alt="Image" src="https://github.com/user-attachments/assets/270ab114-62f5-4ccf-8980-64ddc923876b" /> What I could recommend to you in your case could be to build a function, give that function to the model and have the model query information from a knowledge base (RAG) via the function - through that you could bypass the access control of open webui.

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

dev

v0.9.2

v0.9.1

v0.9.0

v0.8.12

v0.8.11

v0.8.10

v0.8.9

v0.8.8

v0.8.7

v0.8.6

v0.8.5

v0.8.4

v0.8.3

v0.8.2

v0.8.1

v0.8.0

v0.7.2

v0.7.1

v0.7.0

v0.6.43

v0.6.42

v0.6.41

v0.6.40

v0.6.39

v0.6.38

v0.6.37

v0.6.36

v0.6.35

v0.6.34

v0.6.33

v0.6.32

v0.6.31

v0.6.30

v0.6.29

v0.6.28

v0.6.27

v0.6.26

v0.6.25

v0.6.24

v0.6.23

v0.6.22

v0.6.21

v0.6.20

v0.6.19

v0.6.18

v0.6.17

v0.6.16

v0.6.15

v0.6.14

v0.6.13

v0.6.12

v0.6.11

v0.6.10

v0.6.9

v0.6.8

v0.6.7

v0.6.6

v0.6.5

v0.6.4

v0.6.3

v0.6.2

v0.6.1

v0.6.0

v0.5.20

v0.5.19

v0.5.18

v0.5.17

v0.5.16

v0.5.15

v0.5.14

v0.5.13

v0.5.12

v0.5.11

v0.5.10

v0.5.9

v0.5.8

v0.5.7

v0.5.6

v0.5.5

v0.5.4

v0.5.3

v0.5.2

v0.5.1

v0.5.0

v0.4.8

v0.4.7

v0.4.6

v0.4.5

v0.4.4

v0.4.3

v0.4.2

v0.4.1

v0.4.0

v0.3.35

v0.3.34

v0.3.33

v0.3.32

v0.3.31

v0.3.30

v0.3.29

v0.3.28

v0.3.27

v0.3.26

v0.3.25

v0.3.24

v0.3.23

v0.3.22

v0.3.21

v0.3.20

v0.3.19

v0.3.18

v0.3.17

v0.3.16

v0.3.15

v0.3.14

v0.3.13

v0.3.12

v0.3.11

v0.3.10

v0.3.9

v0.3.8

v0.3.7

v0.3.6

v0.3.5

v0.3.4

v0.3.3

v0.3.2

v0.3.1

v0.3.0

v0.2.5

v0.2.4

v0.2.3

v0.2.2

v0.2.1

v0.2.0

v0.1.125

v0.1.124

v0.1.123

v0.1.122

v0.1.121

v0.1.120

v0.1.119

v0.1.118

v0.1.117

v0.1.116

v0.1.115

v0.1.114

v0.1.113

v0.1.112

v0.1.111

v0.1.110

v0.1.109

v0.1.108

v0.1.107

v0.1.106

v0.1.105

v0.1.104

v0.1.103

v0.1.102

Labels

Clear labels

bug

confirmed

confirmed issue

core

documentation

enhancement

good first issue

help wanted

non-core

pull-request

Mirrored from GitHub Pull Request

python

question

testing wanted

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

GiteaMirror ninjasurge

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/open-webui#33888