CVE-2024-7045

Name of the Vulnerable Software and Affected Versions open-webui/open-webui version v0.3.8

Description The issue is related to improper access control, allowing an attacker to view any prompts without verifying if the attacker is an administrator. This enables the attacker to directly call the "/api/v1/prompts/" interface to retrieve all prompt information created by the admin, including ID values. The attacker can then exploit the "/api/v1/prompts/command/{command id}" interface to obtain arbitrary prompt information.

Recommendations For version v0.3.8, consider restricting access to the "/api/v1/prompts/" and "/api/v1/prompts/command/{command id}" interfaces until a proper access control mechanism is implemented to verify administrator privileges. As a temporary workaround, limit the exposure of prompt information by implementing additional security measures to prevent unauthorized access.