CVE-2024-7043

Name of the Vulnerable Software and Affected Versions open-webui/open-webui version 0.3.8

Description The issue allows attackers to view and delete any files due to improper access control. The application fails to verify whether the attacker is an administrator, enabling them to directly call the "GET /api/v1/files/" interface to retrieve information on all files uploaded by users, including the ID values. Attackers can then use the "GET /api/v1/files/{file id}" interface to obtain information on any file and the "DELETE /api/v1/files/{file id}" interface to delete any file.

Recommendations For open-webui/open-webui version 0.3.8, consider restricting access to the GET /api/v1/files/ interface and implementing proper access control to prevent unauthorized file deletion and viewing until a patch is available. As a temporary workaround, restrict access to the DELETE /api/v1/files/{file id} interface to minimize the risk of exploitation.