CVE-2024-7041

Name of the Vulnerable Software and Affected Versions open-webui/open-webui version v0.3.8

Description An Insecure Direct Object Reference (IDOR) vulnerability exists, occurring in the API endpoint http://0.0.0.0:3000/api/v1/memories/{id}/update. The decentralization design is flawed, allowing attackers to edit other users' memories without proper authorization.

Recommendations For open-webui/open-webui version v0.3.8, as a temporary workaround, consider restricting access to the http://0.0.0.0:3000/api/v1/memories/{id}/update API endpoint until a patch is available. Avoid using the id variable in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.