CVE-2024-7049

Name of the Vulnerable Software and Affected Versions open-webui/open-webui version v0.3.8

Description A vulnerability exists where a token is returned when a user with a pending role logs in, allowing the user to perform actions without admin confirmation and bypassing the intended approval process.

Recommendations For version v0.3.8, as a temporary workaround, consider restricting the use of tokens for users with pending roles until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.