Pending Role Logins Bypass Approval Process
CVE-2024-7049

5.4MEDIUM

Key Information:

Vendor: Open-webui
Status: Open-webui/open-webui
Vendor: CVE Published:; 10 October 2024

Summary

In version v0.3.8 of open-webui/open-webui, a vulnerability exists where a token is returned when a user with a pending role logs in. This allows the user to perform actions without admin confirmation, bypassing the intended approval process.

Affected Version(s)

open-webui/open-webui <= unspecified

References

https://huntr.com/bounties/ee9e3532-8ef1-4599-bb59-b8e2ba...

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Oct 10, 2024
Vulnerability Reserved
Jul 23, 2024