CVE-2024-8053: Improper Authentication in open-webui/open-webui
Description
In version v0.3.10 of open-webui/open-webui, the `api/v1/utils/pdf` endpoint lacks authentication mechanisms, allowing unauthenticated attackers to access the PDF generation service. This vulnerability can be exploited by sending a POST request with an excessively large payload, potentially leading to server resource exhaustion and denial of service (DoS). Additionally, unauthorized users can misuse the endpoint to generate PDFs without verification, resulting in service misuse and potential operational and financial impacts.
Classification
CVE ID: CVE-2024-8053
CVSS Base Severity: HIGH
CVSS Base Score: 7.5
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Problem Types
CWE-287 Improper AuthenticationAffected Products
Vendor: open-webui
Product: open-webui/open-webui
Exploit Prediction Scoring System (EPSS)
EPSS Score: 0.27% (probability of being exploited)
EPSS Percentile: 50.18% (scored less or equal to compared to others)
EPSS Date: 2025-04-18 (when was this score calculated)
References
https://nvd.nist.gov/vuln/detail/CVE-2024-8053https://huntr.com/bounties/ebe8c1fa-113b-4df9-be03-a406b9adb9f4