CVE-2024-7041
MEDIUMopen-webui v0.3.8 - Authorization Bypass via Memories Update API Endpoint
Title source: llmDescription
An Insecure Direct Object Reference (IDOR) vulnerability exists in open-webui/open-webui version v0.3.8. The vulnerability occurs in the API endpoint `http://0.0.0.0:3000/api/v1/memories/{id}/update`, where the decentralization design is flawed, allowing attackers to edit other users' memories without proper authorization.
References (1)
Core 1
Core References
Exploit, Third Party Advisory
https://huntr.com/bounties/6855227f-1237-47b8-8d37-29aad7ddec3a
Scores
CVSS v3
6.5
EPSS
0.0036
EPSS Percentile
27.4%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-639
Status
published
Products (2)
openwebui/open_webui
0.3.8
pypi/open-webui
0PyPI
Published
Oct 09, 2024
Tracked Since
Feb 18, 2026