CVE-2024-7040

Medium CVSS 4.9

Overview

In version v0.3.8 of open-webui/open-webui, there is an improper access control vulnerability. On the frontend admin page, administrators are intended to view only the chats of non-admin members. However, by modifying the user_id parameter, it is possible to view the chats of any administrator, including those of other admin (owner) accounts.

CWE: CWE-284 Published: 2025-03-20T10:15:35.607

Risk analysis

This vulnerability is rated 🟡 MEDIUM.

CVSS: 4.9 (MEDIUM)
Detected tags: misconfiguration (tag impact: LOW)

Recommended actions:

Prioritize remediation based on business criticality and exposure.
Limit exposure and increase monitoring until fixed.

Overview

Recommended tools

Tags