Danswer Search Page API Bypass Vulnerability

Vulnerability

A vulnerability in Danswer version 0.3.94 allows administrators to control the visibility of pages within a workspace, including the search page. When the search page is made invisible, regular users cannot access it or its features from the front-end. However, the back-end fails to check the visibility status, enabling attackers to directly call the API and use the search page's functionalities, circumventing the administrator's restrictions.

Impact

Exploitation of this vulnerability allows for unauthorized access to the search page's API functionalities, bypassing front-end visibility controls.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

8.7

remediation

0.0

relevance

0.0

threat

6.4

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

8.7

remediation

0.0

relevance

0.0

threat

6.4

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Danswer Search Page API Bypass Vulnerability

Vulnerability

Impact

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating