Improper Access Control in open-webui/open-webui

Root

Cause

CVE-2024-7043 is an improper access control vulnerability in open-webui/open-webui v0.3.8 [1][2]. The application fails to verify whether the requesting user is an administrator when handling file-related API endpoints. This oversight means that no authentication or privilege check is enforced for critical operations on user-uploaded files [2].

Exploitation

An attacker can directly call the GET /api/v1/files/ interface to retrieve a list of all uploaded files, including their unique identifiers (file_id values) [2]. Armed with those IDs, the same attacker can then use GET /api/v1/files/{file_id} to read the contents of any file and DELETE /api/v1/files/{file_id} to delete any file [2]. No special network position or authentication is required; the attack is accessible to any party that can reach the application's API [2].

Impact

Successful exploitation gives an unauthenticated attacker complete read and write access to all user-uploaded files stored in the platform [2]. This includes any sensitive documents, images, or data that users have shared through the AI interface. An attacker could exfiltrate confidential information or permanently destroy user data, potentially leading to data loss and privacy breaches [2].

Mitigation

The vulnerability has been publicly disclosed via Huntr [3]. Users of open-webui must update to a version newer than v0.3.8 that implements proper authorization checks on the file API endpoints [2][3]. As of the publication date, no official patch version has been confirmed, but the maintainer repository is actively developed [1].