CVE-2024-7039
📋 TL;DR
This vulnerability allows an authenticated admin user to delete other administrators through direct API calls, bypassing UI restrictions. It affects open-webui version v0.3.8 installations where admin users exist. The vulnerability enables privilege escalation through administrative account removal.
💻 Affected Systems
- open-webui/open-webui
📦 What is this software?
Open Webui by Openwebui
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of administrative control through removal of all other admin accounts, enabling a single malicious admin to take full control of the system.
Likely Case
Targeted removal of specific administrators by a compromised or malicious admin account, leading to unauthorized privilege changes and potential data manipulation.
If Mitigated
Limited impact with proper API access controls and admin account monitoring in place.
🎯 Exploit Status
Exploitation requires admin credentials and direct API access. Simple HTTP DELETE request to the vulnerable endpoint.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: v0.3.9 or later
Vendor Advisory: https://huntr.com/bounties/27fc8a5a-546e-4cf2-8edb-df42e36518fc
Restart Required: Yes
Instructions:
1. Update open-webui to version v0.3.9 or later. 2. Restart the open-webui service. 3. Verify the fix by checking the version and testing admin deletion restrictions.
🔧 Temporary Workarounds
API Access Restriction
linuxImplement API gateway or reverse proxy rules to restrict access to the vulnerable endpoint
# Example nginx location block to restrict /api/v1/users/ DELETE requests
location ~ ^/api/v1/users/.*$ {
if ($request_method = DELETE) {
return 403;
}
}
Admin Account Monitoring
allImplement logging and alerting for admin account deletion events
# Monitor open-webui logs for admin deletion patterns
grep -i "delete.*admin" /var/log/open-webui/*.log
🧯 If You Can't Patch
- Implement strict API access controls and rate limiting for admin endpoints
- Establish multi-admin approval workflows for administrative account changes
🔍 How to Verify
Check if Vulnerable:
Check if running open-webui v0.3.8 and test if admin users can delete other admins via direct API DELETE request to /api/v1/users/{uuid_administrator}Check Version:
docker exec open-webui-container cat /app/package.json | grep versionVerify Fix Applied:
After updating to v0.3.9+, verify admin users cannot delete other administrators through API calls📡 Detection & Monitoring
Log Indicators:
- DELETE requests to /api/v1/users/ endpoints
- Admin user deletion events in application logs
- Unusual admin account activity patterns
Network Indicators:
- HTTP DELETE requests to admin user API endpoints
- Unusual API call patterns from admin accounts
SIEM Query:
source="open-webui" AND (method="DELETE" AND uri_path="/api/v1/users/*")