Improper Authentication in open-webui/open-webui

Vulnerability

Overview

CVE-2024-8053 affects open-webui version v0.3.10, specifically the /api/v1/utils/pdf endpoint. This endpoint is designed to generate PDFs but does not enforce any authentication mechanism, allowing any unauthenticated user to send requests to it [1][2]. The root cause is the absence of access controls on this API route, which is exposed without verification of the requester's identity or authorization.

Exploitation

Prerequisites

An attacker can exploit this vulnerability by sending a POST request to the endpoint with an excessively large payload. No prior authentication or network position is required; the endpoint is accessible over the network if the service is reachable [2]. The lack of authentication means that any user who can reach the server can trigger the PDF generation service, potentially leading to server resource exhaustion and denial of service (DoS) [2][3].

Impact

Successful exploitation can result in two primary impacts. First, sending a large payload can overwhelm server resources, causing a denial of service that affects legitimate users. Second, unauthorized users can misuse the endpoint to generate PDFs without any verification, leading to service misuse and potential operational and financial impacts, such as increased compute costs or abuse of the service for spam [2][3].

Mitigation

Status

As of the publication date (2025-03-20), the vulnerability is present in version v0.3.10. Users are advised to upgrade to a patched version if available, or implement access controls (e.g., authentication middleware) on the /api/v1/utils/pdf endpoint. The vendor's GitHub repository [1] and the Huntr bounty page [3] provide additional context and potential updates.