CVE-2024-7043
📋 TL;DR
An improper access control vulnerability in Open WebUI v0.3.8 allows unauthenticated attackers to view and delete any files uploaded by users. Attackers can enumerate all files via the GET /api/v1/files/ endpoint and then retrieve or delete specific files using their IDs. All users of Open WebUI v0.3.8 are affected.
💻 Affected Systems
- open-webui/open-webui
📦 What is this software?
Open Webui by Openwebui
⚠️ Risk & Real-World Impact
Worst Case
Complete loss of all user-uploaded files including sensitive documents, configuration files, and application data, potentially leading to data destruction, service disruption, and privacy violations.
Likely Case
Unauthorized access to sensitive user files and selective deletion of important data, causing operational impact and potential data breaches.
If Mitigated
Minimal impact with proper authentication and authorization controls preventing unauthorized file access.
🎯 Exploit Status
Exploitation requires only HTTP requests to the vulnerable endpoints without authentication. The vulnerability is straightforward to exploit.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: v0.3.9 or later
Vendor Advisory: https://huntr.com/bounties/c01e0c7f-68d8-45cf-91d2-521c97f33b00
Restart Required: Yes
Instructions:
1. Update Open WebUI to version v0.3.9 or later. 2. Restart the Open WebUI service. 3. Verify the update was successful by checking the version.
🔧 Temporary Workarounds
Network Access Control
allRestrict network access to the Open WebUI instance to trusted IP addresses only.
Use firewall rules to limit access to Open WebUI ports (typically 8080 or 3000) to authorized IPs only.
Reverse Proxy Authentication
allPlace Open WebUI behind a reverse proxy with authentication requirements.
Configure nginx/apache reverse proxy with authentication (e.g., basic auth, OAuth) in front of Open WebUI.
🧯 If You Can't Patch
- Disable or restrict the /api/v1/files/ endpoints at the web server or application firewall level.
- Implement file access logging and monitoring to detect unauthorized file operations.
🔍 How to Verify
Check if Vulnerable:
Check if running Open WebUI v0.3.8. Attempt to access GET /api/v1/files/ without authentication - if it returns file information, the system is vulnerable.Check Version:
Check the Open WebUI version in the web interface or via the application's version endpoint if available.Verify Fix Applied:
After updating to v0.3.9+, attempt to access GET /api/v1/files/ without authentication - it should return an authentication error or 403 Forbidden.📡 Detection & Monitoring
Log Indicators:
- Unauthenticated requests to /api/v1/files/ endpoints
- Multiple DELETE requests to /api/v1/files/{file_id} from unauthenticated users
- Unusual file access patterns from single IP addresses
Network Indicators:
- HTTP GET requests to /api/v1/files/ without authentication headers
- HTTP DELETE requests to /api/v1/files/{file_id} patterns
SIEM Query:
source="open-webui" AND (uri_path="/api/v1/files/" OR uri_path="/api/v1/files/*") AND NOT auth_status="authenticated"