Authentication Bypass in open-webui's PDF Generation Service
CVE-2024-8053

8.2HIGH

Key Information:

Vendor
Open-webui
Vendor
CVE Published:
20 March 2025

Summary

In version v0.3.10 of open-webui, the api/v1/utils/pdf endpoint lacks proper authentication mechanisms, enabling unauthenticated attackers to access and misuse the PDF generation service. By sending a POST request with an excessively large payload, attackers can lead to server resource exhaustion, resulting in denial of service (DoS). This vulnerability not only allows for unauthorized PDF generation but may also have operational and financial impacts on affected services.

Affected Version(s)

open-webui/open-webui <= unspecified

References

CVSS V3.1

Score:
8.2
Severity:
HIGH
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

CVSS V3.0

Score:
7.5
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.