Primary

Context

Open-WebUI Access Control Vulnerability Allowing Unauthorized Admin Detail Access

Vulnerability

A vulnerability in Open-WebUI version 0.3.8 allows attackers to access admin details due to improper access control. The application fails to verify if the requester is an administrator, enabling direct calls to the '/api/v1/auths/admin/details' endpoint to retrieve information about the first admin (owner).

Impact

Exploitation of this vulnerability allows unauthorized users to view sensitive admin information, including email and name details.

Reproduction

To reproduce this vulnerability, send a GET request to the '/api/v1/auths/admin/details' endpoint. Include an Authorization header with a valid bearer token. The request can be made using tools like cURL or Postman.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

4.6

remediation

0.0

relevance

0.0

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

4.6

remediation

0.0

relevance

0.0

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Open-WebUI Access Control Vulnerability Allowing Unauthorized Admin Detail Access

Vulnerability

Impact

Reproduction

Affected Products

open-webui/open-webui

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating