HIGH 7.5

GHSA-wcwp-9rcp-jvfg

Open WebUI Uncontrolled Resource Consumption vulnerability

Details

A vulnerability in open-webui/open-webui v0.3.8 allows an unauthenticated attacker to sign up with excessively large text in the 'name' field, causing the Admin panel to become unresponsive. This prevents administrators from performing essential user management actions such as deleting, editing, or adding users. The vulnerability can also be exploited by authenticated users with low privileges, leading to the same unresponsive state in the Admin panel.

Are you affected?

Enter the version of the package you're using.

Affected packages

PyPI / open-webui

Introduced in: 0

No fixed version published yet for open-webui (pip). Pin to a known-safe version or switch to an alternative.

References

https://nvd.nist.gov/vuln/detail/CVE-2024-7036 [ADVISORY]
https://github.com/open-webui/open-webui [PACKAGE]
https://huntr.com/bounties/ba62d093-ab27-48fa-9c53-0602c8cdc48a [WEB]