Open Webui@0.3.8 Security Vulnerabilities and Issues — Open Webui@0.3.8 CVE List

Lucene search

OpenwebuiOpen Webui0.3.8

9 matches found

CVE•added 2025/03/20 10:15 a.m.•62 views

CVE-2024-7043

An improper access control vulnerability in open-webui/open-webui v0.3.8 allows attackers to view and delete any files. The application does not verify whether the attacker is an administrator, allowing the attacker to directly call the GET /api/v1/files/ interface to retrieve information on all fi...

8.8CVSS7.8AI score0.00043EPSS

CVE•added 2025/03/20 10:15 a.m.•62 views

CVE-2024-7990

A stored cross-site scripting (XSS) vulnerability exists in open-webui/open-webui version 0.3.8. The vulnerability is present in the /api/v1/models/add endpoint, where the model description field is improperly sanitized before being rendered in chat. This allows an attacker to inject malicious scri...

8.4CVSS7.6AI score0.00096EPSS

CVE•added 2025/03/20 10:15 a.m.•58 views

CVE-2024-7039

In open-webui/open-webui version v0.3.8, there is an improper privilege management vulnerability. The application allows an attacker, acting as an admin, to delete other administrators via the API endpoint http://0.0.0.0:8080/api/v1/users/{uuid_administrator}. This action is restricted by the user ...

8.3CVSS6.9AI score0.00065EPSS

CVE•added 2025/03/20 10:15 a.m.•37 views

CVE-2024-7053

A vulnerability in open-webui/open-webui version 0.3.8 allows an attacker with a user-level account to perform a session fixation attack. The session cookie for all users is set with the default SameSite=Lax and does not have the Secure flag enabled, allowing the session cookie to be sent over HTTP...

9CVSS7.9AI score0.00126EPSS

CVE•added 2025/03/20 10:15 a.m.•35 views

CVE-2024-7036

A vulnerability in open-webui/open-webui v0.3.8 allows an unauthenticated attacker to sign up with excessively large text in the 'name' field, causing the Admin panel to become unresponsive. This prevents administrators from performing essential user management actions such as deleting, editing, or...

7.5CVSS7.4AI score0.00195EPSS

CVE•added 2025/03/20 10:15 a.m.•35 views

CVE-2024-7040

In version v0.3.8 of open-webui/open-webui, there is an improper access control vulnerability. On the frontend admin page, administrators are intended to view only the chats of non-admin members. However, by modifying the user_id parameter, it is possible to view the chats of any administrator, inc...

4.9CVSS5.2AI score0.00053EPSS

CVE•added 2025/03/20 10:15 a.m.•34 views

CVE-2024-7959

The /openai/models endpoint in open-webui/open-webui version 0.3.8 is vulnerable to Server-Side Request Forgery (SSRF). An attacker can change the OpenAI URL to any URL without checks, causing the endpoint to send a request to the specified URL and return the output. This vulnerability allows the a...

7.7CVSS7.8AI score0.00091EPSS

CVE•added 2025/03/20 10:15 a.m.•34 views

CVE-2024-7983

In version 0.3.8 of open-webui, an endpoint for converting markdown to HTML is exposed without authentication. A maliciously crafted markdown payload can cause the server to spend excessive time converting it, leading to a denial of service. The server becomes unresponsive to other requests until t...

7.5CVSS7.4AI score0.00432EPSS

CVE•added 2024/10/10 8:15 a.m.•30 views

CVE-2024-7049

In version v0.3.8 of open-webui/open-webui, a vulnerability exists where a token is returned when a user with a pending role logs in. This allows the user to perform actions without admin confirmation, bypassing the intended approval process.

5.4CVSS5.4AI score0.00074EPSS