Unrated severityNVD Advisory· Published Oct 10, 2024· Updated Oct 15, 2025
IDOR in open-webui/open-webui
CVE-2024-7048
Description
In version v0.3.8 of open-webui, an improper privilege management vulnerability exists in the API endpoints GET /api/v1/documents/ and POST /rag/api/v1/doc. This vulnerability allows a lower-privileged user to access and overwrite files managed by a higher-privileged admin. By exploiting this vulnerability, an attacker can view metadata of files uploaded by an admin and overwrite these files, compromising the integrity and availability of the RAG models.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2= 0.3.8+ 1 more
- (no CPE)range: = 0.3.8
- (no CPE)range: unspecified
Patches
Vulnerability mechanics
References
1News mentions
0No linked articles in our index yet.