CVE-2024-7048

Name of the Vulnerable Software and Affected Versions open-webui version v0.3.8

Description The issue is related to improper privilege management in the API endpoints "GET /api/v1/documents/" and "POST /rag/api/v1/doc". This allows a lower-privileged user to access and overwrite files managed by a higher-privileged admin, compromising the integrity and availability of the RAG models. An attacker can exploit this to view metadata of files uploaded by an admin and overwrite these files.

Recommendations For open-webui version v0.3.8, patch immediately and review access controls to mitigate the risk of unauthorized access. As a temporary workaround, consider restricting access to the API endpoints "GET /api/v1/documents/" and "POST /rag/api/v1/doc" until a patch is available.