cbcvebase.

Open-Webui Open-Webui vulnerabilities

25 known vulnerabilities affecting open-webui/open-webui_open-webui.

Total CVEs
25
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL2HIGH14MEDIUM8LOW1

Vulnerabilities

Page 2 of 2
CVE-2024-7049P4MEDIUMCVSS 5.4≥ unspecified, ≤ latest2024-10-10
CVE-2024-7049 [MEDIUM] CWE-488 CVE-2024-7049: In version v0.3.8 of open-webui/open-webui, a vulnerability exists where a token is returned when a In version v0.3.8 of open-webui/open-webui, a vulnerability exists where a token is returned when a user with a pending role logs in. This allows the user to perform actions without admin confirmation, bypassing the intended approval process.
nvd
CVE-2024-7040P4MEDIUMCVSS 4.9≥ unspecified, ≤ latest2025-03-20
CVE-2024-7040 [MEDIUM] CWE-639 CVE-2024-7040: In version v0.3.8 of open-webui/open-webui, there is an improper access control vulnerability. On th In version v0.3.8 of open-webui/open-webui, there is an improper access control vulnerability. On the frontend admin page, administrators are intended to view only the chats of non-admin members. However, by modifying the user_id parameter, it is possible to view the chats of any administrator, including those of other admin (owner) accounts.
nvd
CVE-2024-7045P4MEDIUMCVSS 4.3≥ unspecified, ≤ latest2025-03-20
CVE-2024-7045 [MEDIUM] CWE-862 CVE-2024-7045: In version v0.3.8 of open-webui/open-webui, improper access control vulnerabilities allow an attacke In version v0.3.8 of open-webui/open-webui, improper access control vulnerabilities allow an attacker to view any prompts. The application does not verify whether the attacker is an administrator, allowing the attacker to directly call the /api/v1/prompts/ interface to retrieve all prompt information created by the admin, which includes the ID values.
nvd
CVE-2024-7046P4MEDIUMCVSS 4.3≥ unspecified, ≤ latest2025-03-20
CVE-2024-7046 [MEDIUM] CWE-862 CVE-2024-7046: An improper access control vulnerability in open-webui/open-webui v0.3.8 allows an attacker to view An improper access control vulnerability in open-webui/open-webui v0.3.8 allows an attacker to view admin details. The application does not verify whether the attacker is an administrator, allowing the attacker to directly call the /api/v1/auths/admin/details interface to retrieve the first admin (owner) details.
nvd
CVE-2024-7038P4LOWCVSS 2.7≥ unspecified, ≤ latest2024-10-09
CVE-2024-7038 [LOW] CWE-209 CVE-2024-7038: An information disclosure vulnerability exists in open-webui version 0.3.8. The vulnerability is rel An information disclosure vulnerability exists in open-webui version 0.3.8. The vulnerability is related to the embedding model update feature under admin settings. When a user updates the model path, the system checks if the file exists and provides different error messages based on the existence and configuration of the file. This behavior allows an at
nvd
Open-Webui Open-Webui vulnerabilities | cvebase