CVE-2024-30256

Name of the Vulnerable Software and Affected Versions: Open WebUI versions prior to 0.1.117

Description: The issue is related to an authenticated blind server-side request forgery vulnerability. It involves the download file stream() function in the backend/apps/web/routers/utils.py file of the Open WebUI, which is exploited through the url parameter. This allows a remote attacker to perform an SSRF attack.

Recommendations: For versions prior to 0.1.117, update to version 0.1.117 to resolve the issue. As a temporary workaround, consider restricting access to the download file stream() function until the update is applied. Avoid using the url parameter in the affected API endpoint until the issue is resolved.