CVE-2024-7035

Name of the Vulnerable Software and Affected Versions open-webui/open-webui version v0.3.8

Description The issue allows an attacker to perform Cross-Site Request Forgery (CSRF) attacks. This can happen when an unaware user visits a malicious site or through top-level navigation, causing them to unintentionally perform sensitive actions. The affected endpoints include "/rag/api/v1/reset", "/rag/api/v1/reset/db", "/api/v1/memories/reset", and "/rag/api/v1/reset/uploads". This impacts both the availability and integrity of the application.

Recommendations For version v0.3.8, consider disabling or restricting access to the sensitive endpoints "/rag/api/v1/reset", "/rag/api/v1/reset/db", "/api/v1/memories/reset", and "/rag/api/v1/reset/uploads" until a patch is available. Avoid using the GET method for sensitive actions such as deleting and resetting. As a temporary workaround, restrict the use of sensitive actions to POST methods or other more secure methods to minimize the risk of exploitation.