CVE-2024-7039

Name of the Vulnerable Software and Affected Versions open-webui/open-webui version v0.3.8

Description The application exhibits improper privilege management. An attacker with administrator privileges can delete other administrators by directly accessing the API endpoint http://0.0.0.0:8080/api/v1/users/{uuid administrator}. This action is restricted within the user interface but is achievable through direct API calls using the uuid administrator variable.

Recommendations open-webui/open-webui version v0.3.8: Restrict access to the API endpoint http://0.0.0.0:8080/api/v1/users/{uuid administrator} to prevent unauthorized administrator deletion. As a temporary workaround, consider disabling the API endpoint until a patch is available.