Skip to content

[GHSA-cfvq-fj53-j2c7] In version v0.3.8 of open-webui/open-webui, there is an... #8035

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
Classic298 wants to merge 1 commit into
base: Classic298/advisory-improvement-8035
Choose a base branch
from
+25 −3
Open

[GHSA-cfvq-fj53-j2c7] In version v0.3.8 of open-webui/open-webui, there is an... #8035

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
28 changes: 25 additions & 3 deletions advisories/unreviewed/2025/03/GHSA-cfvq-fj53-j2c7/GHSA-cfvq-fj53-j2c7.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,24 +1,46 @@
{
"schema_version": "1.4.0",
"id": "GHSA-cfvq-fj53-j2c7",
"modified": "2025-03-20T12:32:46Z",
"modified": "2025-10-15T15:31:30Z",
"published": "2025-03-20T12:32:45Z",
"aliases": [
"CVE-2024-7040"
],
"details": "In version v0.3.8 of open-webui/open-webui, there is an improper access control vulnerability. On the frontend admin page, administrators are intended to view only the chats of non-admin members. However, by modifying the user_id parameter, it is possible to view the chats of any administrator, including those of other admin (owner) accounts.",
"summary": "[DISPUTED BY VENDOR] Open WebUI Improper Access Control — Cross-Admin Chat Access via user_id",
"details": "> **DISPUTED BY VENDOR (Open WebUI maintainers).** This advisory does not describe a vulnerability. It describes an administrator-versus-administrator scenario — one admin reading another admin's chats via the `user_id` parameter on an admin-gated endpoint. Administrators of a single instance share one trust boundary and full system control; this is not a privilege boundary in the project's threat model. Out of scope per the Open WebUI security policy (Rules 7, 9). The corresponding report was filed via the project's GHSA channel (GHSA-3w8w-xvxq-jmwp) and closed as out-of-scope; huntr.dev published the CVE in disregard of that vendor disposition. A formal REJECT request is pending with MITRE. See: https://docs.openwebui.com/security/vendor-dispositions/cve-2024-7040/\n\n---\n\nIn version v0.3.8 of open-webui/open-webui, there is an improper access control vulnerability. On the frontend admin page, administrators are intended to view only the chats of non-admin members. However, by modifying the user_id parameter, it is possible to view the chats of any administrator, including those of other admin (owner) accounts.",
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N"
}
],
"affected": [],
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": ""
},
"ranges": [
{
"type": "ECOSYSTEM",
"events": [
{
"introduced": "0"
}
]
}
]
}
],
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-7040"
},
{
"type": "WEB",
"url": "https://docs.openwebui.com/security/vendor-dispositions/cve-2024-7040"
},
{
"type": "WEB",
"url": "https://huntr.com/bounties/bd182309-4aa4-4747-941e-bbc1741955c1"
Expand Down