CVE-2024-7040 MEDIUM

CVE-2024-7040: Improper Access Control in open-webui/open-webui

Vendor Open-Webui
Product open-webui/open-webui
Weakness CWE-639 · IDOR
Published March 20, 2025
Last update October 15, 2025

CVSS base score

4.9/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction None
Confidentiality High
Integrity None

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

What the vulnerability does

01Description

In version v0.3.8 of open-webui/open-webui, there is an improper access control vulnerability. On the frontend admin page, administrators are intended to view only the chats of non-admin members. However, by modifying the user_id parameter, it is possible to view the chats of any administrator, including those of other admin (owner) accounts.

Key dates

02Disclosure timeline

March 20, 2025 CVE published
October 15, 2025 Record updated