CVE-2024-8053

Name of the Vulnerable Software and Affected Versions open-webui/open-webui version v0.3.10

Description The api/v1/utils/pdf endpoint lacks authentication mechanisms, allowing unauthenticated attackers to access the PDF generation service. This issue can be exploited by sending a POST request with an excessively large payload, potentially leading to server resource exhaustion and denial of service (DoS). Additionally, unauthorized users can misuse the endpoint to generate PDFs without verification, resulting in service misuse and potential operational and financial impacts.

Recommendations For version v0.3.10, consider implementing authentication mechanisms for the api/v1/utils/pdf endpoint to prevent unauthorized access. As a temporary workaround, restrict access to this endpoint to minimize the risk of exploitation. Avoid using the endpoint for generating PDFs without proper verification until a fix is available.