Analysis and contextual insights are available on OpenCVE Cloud.
No vendor fix or workaround currently provided.
Additional remediation guidance may be available on OpenCVE Cloud.
Tracking
Sign in to view the affected projects.
| Source | ID | Title |
|---|---|---|
EUVD |
EUVD-2025-6961 | In open-webui/open-webui version v0.3.8, there is an improper privilege management vulnerability. The application allows an attacker, acting as an admin, to delete other administrators via the API endpoint `http://0.0.0.0:8080/api/v1/users/{uuid_administrator}`. This action is restricted by the user interface but can be performed through direct API calls. |
Github GHSA |
GHSA-pqwr-phvv-v49f | Open WebUI Allows Admin Deletion via API Endpoint |
Thu, 16 Jul 2026 16:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Title | Improper Privilege Management in open-webui/open-webui | |
| Metrics |
ssvc
|
Thu, 16 Jul 2026 16:00:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | In open-webui/open-webui version v0.3.8, there is an improper privilege management vulnerability. The application allows an attacker, acting as an admin, to delete other administrators via the API endpoint `http://0.0.0.0:8080/api/v1/users/{uuid_administrator}`. This action is restricted by the user interface but can be performed through direct API calls. | This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. |
Wed, 15 Oct 2025 13:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Weaknesses | CWE-269 |
Wed, 15 Oct 2025 13:00:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Weaknesses | CWE-863 |
Fri, 18 Jul 2025 20:00:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Openwebui
Openwebui open Webui |
|
| CPEs | cpe:2.3:a:openwebui:open_webui:0.3.8:*:*:*:*:*:*:* | |
| Vendors & Products |
Openwebui
Openwebui open Webui |
|
| Metrics |
cvssV3_1
|
Thu, 20 Mar 2025 19:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
ssvc
|
Thu, 20 Mar 2025 10:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | In open-webui/open-webui version v0.3.8, there is an improper privilege management vulnerability. The application allows an attacker, acting as an admin, to delete other administrators via the API endpoint `http://0.0.0.0:8080/api/v1/users/{uuid_administrator}`. This action is restricted by the user interface but can be performed through direct API calls. | |
| Title | Improper Privilege Management in open-webui/open-webui | |
| Weaknesses | CWE-269 | |
| References |
| |
| Metrics |
cvssV3_0
|
Status: REJECTED
Assigner: @huntr_ai
Published:
Updated: 2026-07-16T15:37:20.286Z
Reserved: 2024-07-23T17:54:34.513Z
Link: CVE-2024-7039
Updated:
Status : Modified
Published: 2025-03-20T10:15:35.483
Modified: 2026-06-17T08:19:14.807
Link: CVE-2024-7039
No data.
OpenCVE Enrichment
Updated: 2025-07-13T11:14:24Z
EUVD
Github GHSA