cbcvebase.
CVE-2024-7043
published 2025-03-20

CVE-2024-7043: An improper access control vulnerability in open-webui/open-webui v0.3.8 allows attackers to view and delete any files. The application does not verify whether…

PriorityP353high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
0.56%
42.6th percentile
An improper access control vulnerability in open-webui/open-webui v0.3.8 allows attackers to view and delete any files. The application does not verify whether the attacker is an administrator, allowing the attacker to directly call the GET /api/v1/files/ interface to retrieve information on all files uploaded by users, which includes the ID values. The attacker can then use the GET /api/v1/files/{file_id} interface to obtain information on any file and the DELETE /api/v1/files/{file_id} interface to delete any file.

Affected

6 ranges
VendorProductVersion rangeFixed in
linuxfoundationcups-filters>= 0 < 1.27.4-1ubuntu0.41.27.4-1ubuntu0.4
linuxfoundationcups-filters>= 0 < 1.28.15-0ubuntu1.41.28.15-0ubuntu1.4
linuxfoundationcups-filters>= 0 < 1.8.3-2ubuntu3.5+esm21.8.3-2ubuntu3.5+esm2
open-webuiopen-webui0 – 0.3.8
open-webuiopen-webui_open-webuiunspecified – latest
openwebuiopen_webui

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv3.08.1HIGHCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
osv8.6HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.