Primary

Context

Open-WebUI Improper Privilege Management Vulnerability Allowing Administrator Deletion

Vulnerability

An improper privilege management vulnerability exists in Open-WebUI version 0.3.8. The application allows an admin user to delete other administrators through the API, despite this action being restricted in the user interface. The vulnerability arises because the API endpoint for user deletion does not properly enforce privilege checks, allowing admins to remove each other arbitrarily.

Impact

Exploitation of this vulnerability allows an admin user to delete other administrators from the application.

Reproduction

To reproduce this vulnerability, log into the application as an admin. Then, send a DELETE request to the API endpoint for user deletion, including the UUID of the administrator to be removed and an authorization token. The request will successfully delete the specified administrator.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

4.6

remediation

0.0

relevance

0.0

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

4.6

remediation

0.0

relevance

0.0

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Open-WebUI Improper Privilege Management Vulnerability Allowing Administrator Deletion

Vulnerability

Impact

Reproduction

Affected Products

open-webui/open-webui

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating