CVE-2024-7043
Published: 20 March 2025
Summary
CVE-2024-7043 is a high-severity Missing Authorization (CWE-862) vulnerability in Openwebui Open Webui. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked at the 40.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).
Deeper analysis
CVE-2024-7043 is an improper access control vulnerability (CWE-862) in open-webui/open-webui version 0.3.8. The issue stems from the application failing to verify whether a user is an administrator before allowing access to file management functions. Attackers can directly invoke the GET /api/v1/files/ endpoint to retrieve information on all files uploaded by users, including their ID values.
A low-privileged remote attacker (PR:L) can exploit this vulnerability over the network (AV:N) with low complexity (AC:L) and no user interaction (UI:N). By first listing all files via GET /api/v1/files/, the attacker obtains file IDs, then uses GET /api/v1/files/{file_id} to view any file's contents and DELETE /api/v1/files/{file_id} to delete it. This results in high impacts across confidentiality, integrity, and availability (C:H/I:H/A:H), as reflected in the CVSS v3.1 base score of 8.8.
Mitigation details and additional information are available in the advisory published on Huntr at https://huntr.com/bounties/c01e0c7f-68d8-45cf-91d2-521c97f33b00. The vulnerability was published on 2025-03-20.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-6966
Vulnerability details
An improper access control vulnerability in open-webui/open-webui v0.3.8 allows attackers to view and delete any files. The application does not verify whether the attacker is an administrator, allowing the attacker to directly call the GET /api/v1/files/ interface to retrieve information…
more
on all files uploaded by users, which includes the ID values. The attacker can then use the GET /api/v1/files/{file_id} interface to obtain information on any file and the DELETE /api/v1/files/{file_id} interface to delete any file.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The improper access control vulnerability allows unauthorized attackers to list all files (T1083), retrieve file contents (T1005), and delete any files (T1070.004).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
AC-3 mandates enforcement of approved authorizations for access to system resources, directly addressing the lack of admin verification on file listing, viewing, and deletion APIs.
AC-6 enforces least privilege, preventing low-privileged attackers from accessing or deleting files reserved for administrators.
AC-24 requires access control decisions based on policy, mitigating unauthorized file operations by ensuring proper authorization checks before granting access.