Improper Privilege Management in open-webui/open-webui

Vulnerability

Overview

CVE-2024-7039 is an improper privilege management vulnerability in open-webui version v0.3.8. The application exposes an API endpoint at http://0.0.0.0:8080/api/v1/users/{uuid_administrator} that does not enforce the privilege checks present in the user interface. An authenticated attacker with administrator privileges can send a direct API call to this endpoint to delete other administrator accounts, an action that the UI would normally restrict [2][3].

Exploitation

Exploitation requires the attacker to already possess an admin-level account on the Open WebUI instance. No additional authentication bypass is needed. The attack is performed by sending a crafted HTTP request (e.g., DELETE) to the vulnerable endpoint with the UUID of the target admin. Because the API lacks the same privilege validation as the web interface, the deletion succeeds even though the user interface would have blocked it [2].

Impact

A malicious admin can remove other administrators, effectively seizing full control of the Open WebUI deployment. This could lead to unauthorized changes to AI models, data, or configurations, and potentially lock out legitimate administrators. The vulnerability is especially dangerous in multi-tenant or organizational deployments where admin accounts are shared [2].

Mitigation

The vulnerability affects version 0.3.8; users should upgrade to a patched version (if available) following official updates from the project repository [1]. There is no public mention of a workaround. Organizations should review access to admin accounts and monitor API logs for unusual DELETE requests targeting user endpoints.