VYPR
Unrated severityNVD Advisory· Published Oct 10, 2024· Updated Oct 15, 2025

IDOR in open-webui/open-webui

CVE-2024-7048

Description

In version v0.3.8 of open-webui, an improper privilege management vulnerability exists in the API endpoints GET /api/v1/documents/ and POST /rag/api/v1/doc. This vulnerability allows a lower-privileged user to access and overwrite files managed by a higher-privileged admin. By exploiting this vulnerability, an attacker can view metadata of files uploaded by an admin and overwrite these files, compromising the integrity and availability of the RAG models.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

2
  • Openwebui/Open Webuillm-fuzzy2 versions
    = 0.3.8+ 1 more
    • (no CPE)range: = 0.3.8
    • (no CPE)range: unspecified

Patches

Vulnerability mechanics

References

1

News mentions

0

No linked articles in our index yet.