CVE-2024-8053 Information

Description

In version v0.3.10 of open-webui/open-webui the api/v1/utils/pdf endpoint lacks authentication mechanisms allowing unauthenticated attackers to access the PDF generation service. This vulnerability can be exploited by sending a POST request with an excessively large payload potentially leading to server resource exhaustion and denial of service (DoS). Additionally unauthorized users can misuse the endpoint to generate PDFs without verification resulting in service misuse and potential operational and financial impacts.

Reference

https://huntr.com/bounties/ebe8c1fa-113b-4df9-be03-a406b9adb9f4 https://huntr.com/bounties/ebe8c1fa-113b-4df9-be03-a406b9adb9f4