Danswer-Ai Danswer vulnerabilities
10 known vulnerabilities affecting danswer-ai/danswer-ai_danswer.
Total CVEs
10
CISA KEV
0
Public exploits
1
Exploited in wild
0
Severity breakdown
CRITICAL1HIGH6MEDIUM3
Vulnerabilities
Page 1 of 1
CVE-2024-9617P3MEDIUMCVSS 6.5PoC≥ unspecified, ≤ latest2025-03-20
CVE-2024-9617 [MEDIUM] CWE-639 CVE-2024-9617: An IDOR vulnerability in danswer-ai/danswer v0.3.94 allows an attacker to view any files. The applic
An IDOR vulnerability in danswer-ai/danswer v0.3.94 allows an attacker to view any files. The application does not verify whether the attacker is the creator of the file, allowing the attacker to directly call the GET /api/chat/file/{file_id} interface to view any user's file.
nvd
CVE-2024-7957P3CRITICALCVSS 9.1≥ unspecified, ≤ latest2025-03-20
CVE-2024-7957 [CRITICAL] CWE-29 CVE-2024-7957: An arbitrary file overwrite vulnerability exists in the ZulipConnector of danswer-ai/danswer, affect
An arbitrary file overwrite vulnerability exists in the ZulipConnector of danswer-ai/danswer, affecting the latest version. The vulnerability arises from the load_credentials method, where user-controlled input for realm_name and zuliprc_content is used to construct file paths and write file contents. This allows attackers to overwrite or create arbi
nvd
CVE-2024-7767P3HIGHCVSS 8.1≥ unspecified, ≤ latest2025-03-20
CVE-2024-7767 [HIGH] CWE-862 CVE-2024-7767: An improper access control vulnerability exists in danswer-ai/danswer version v0.3.94. This vulnerab
An improper access control vulnerability exists in danswer-ai/danswer version v0.3.94. This vulnerability allows the first user created in the system to view, modify, and delete chats created by an Admin. This can lead to unauthorized access to sensitive information, loss of data integrity, and potential compliance violations.
nvd
CVE-2024-7779P3HIGHCVSS 7.5≥ unspecified, ≤ latest2025-03-20
CVE-2024-7779 [HIGH] CWE-1333 CVE-2024-7779: A vulnerability in danswer-ai/danswer version 1 allows an attacker to perform a Regular Expression D
A vulnerability in danswer-ai/danswer version 1 allows an attacker to perform a Regular Expression Denial of Service (ReDoS) by manipulating regular expressions. This can significantly slow down the application's response time and potentially render it completely unusable.
nvd
CVE-2025-0182P3HIGHCVSS 7.5≥ unspecified, ≤ latest2025-03-20
CVE-2025-0182 [HIGH] CWE-770 CVE-2025-0182: A vulnerability in danswer-ai/danswer version 0.9.0 allows for denial of service through memory exha
A vulnerability in danswer-ai/danswer version 0.9.0 allows for denial of service through memory exhaustion. The issue arises from the use of a vulnerable version of the starlette package (<=0.49) via fastapi, which was patched in fastapi version 0.115.3. The vulnerability can be exploited by sending multiple requests to the /auth/saml/callback endpoint,
nvd
CVE-2024-8028P3HIGHCVSS 7.5≥ unspecified, ≤ latest2025-03-20
CVE-2024-8028 [HIGH] CWE-770 CVE-2024-8028: A vulnerability in danswer-ai/danswer v0.3.94 allows an attacker to cause a Denial of Service (DoS)
A vulnerability in danswer-ai/danswer v0.3.94 allows an attacker to cause a Denial of Service (DoS) by uploading a file with a malformed multipart boundary. By appending a large number of characters to the end of the multipart boundary, the server continuously processes each character, rendering the application inaccessible. This issue can be exploited b
nvd
CVE-2024-7819P3HIGHCVSS 7.4≥ unspecified, ≤ latest2025-03-20
CVE-2024-7819 [HIGH] CWE-346 CVE-2024-7819: A CORS misconfiguration in danswer-ai/danswer v1.4.1 allows attackers to steal sensitive information
A CORS misconfiguration in danswer-ai/danswer v1.4.1 allows attackers to steal sensitive information such as chat contents, API keys, and other data. This vulnerability occurs due to improper validation of the origin header, enabling malicious web pages to make unauthorized requests to the application's API.
nvd
CVE-2024-9612P3MEDIUMCVSS 6.5≥ unspecified, ≤ latest2025-03-20
CVE-2024-9612 [MEDIUM] CWE-1100 CVE-2024-9612: In danswer-ai/danswer v0.3.94, administrators can set the visibility of pages within a workspace, in
In danswer-ai/danswer v0.3.94, administrators can set the visibility of pages within a workspace, including the search page. When the search page is set to be invisible, regular users cannot view the search page or access its functionalities from the front-end interface. However, the back-end does not verify the visibility status of the search page.
nvd
CVE-2024-8065P4HIGHCVSS 8.1≥ unspecified, ≤ latest2025-03-20
CVE-2024-8065 [HIGH] CWE-352 CVE-2024-8065: A Cross-Site Request Forgery (CSRF) vulnerability in version v1.4.1 of danswer-ai/danswer allows att
A Cross-Site Request Forgery (CSRF) vulnerability in version v1.4.1 of danswer-ai/danswer allows attackers to perform unauthorized actions in the context of the victim's browser. This includes connecting the victim's application with a malicious Slack Bot, inviting users, and deleting chats, among other actions. The application does not implement any CS
nvd
CVE-2024-8057P4MEDIUMCVSS 4.3≥ unspecified, ≤ latest2025-03-20
CVE-2024-8057 [MEDIUM] CWE-306 CVE-2024-8057: In version 0.4.1 of danswer-ai/danswer, a vulnerability exists where a basic user can create credent
In version 0.4.1 of danswer-ai/danswer, a vulnerability exists where a basic user can create credentials and link them to an existing connector. This issue arises because the system allows an unauthenticated attacker to sign up with a basic account and perform actions that should be restricted to admin users. This can lead to excessive resource consum
nvd