Open-WebUI Files Access Control Vulnerability Allowing Unauthorized View and Deletion of Files

A vulnerability in Open-WebUI version 0.3.8 allows attackers to bypass access controls and view or delete any files. The issue arises because the application does not verify if a user is an administrator. This flaw enables attackers to exploit the GET /api/v1/files/ endpoint to list all user-uploaded files, including their ID values. Subsequently, they can use the GET /api/v1/files/{file_id} endpoint to access information about specific files and the DELETE /api/v1/files/{file_id} endpoint to remove any file.

Impact

Exploitation of this vulnerability allows for unauthorized viewing and deletion of files, compromising the integrity of the application's file management system.

Reproduction

To reproduce this vulnerability, send a GET request to the /api/v1/files/ endpoint. This request can be made without administrative privileges, and it will return a list of all files uploaded by users, including their ID values. Once the file IDs are obtained, they can be used to access or delete specific files by sending GET or DELETE requests to the /api/v1/files/{file_id} endpoint, respectively.