CVE-2024-7045 Information

Description

In version v0.3.8 of open-webui/open-webui improper access control vulnerabilities allow an attacker to view any prompts. The application does not verify whether the attacker is an administrator allowing the attacker to directly call the /api/v1/prompts/ interface to retrieve all prompt information created by the admin which includes the ID values. Subsequently the attacker can exploit the /api/v1/prompts/command/command_id interface to obtain arbitrary prompt information.

Reference

https://huntr.com/bounties/03ea0826-af7b-4717-b63e-90fd19675ab2