Analysis and contextual insights are available on OpenCVE Cloud.
No vendor fix or workaround currently provided.
Additional remediation guidance may be available on OpenCVE Cloud.
Tracking
Sign in to view the affected projects.
| Source | ID | Title |
|---|---|---|
EUVD |
EUVD-2025-6948 | In version v0.3.8 of open-webui/open-webui, there is an improper access control vulnerability. On the frontend admin page, administrators are intended to view only the chats of non-admin members. However, by modifying the user_id parameter, it is possible to view the chats of any administrator, including those of other admin (owner) accounts. |
Thu, 16 Jul 2026 16:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Title | Improper Access Control in open-webui/open-webui | |
| Metrics |
ssvc
|
Thu, 16 Jul 2026 16:00:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | In version v0.3.8 of open-webui/open-webui, there is an improper access control vulnerability. On the frontend admin page, administrators are intended to view only the chats of non-admin members. However, by modifying the user_id parameter, it is possible to view the chats of any administrator, including those of other admin (owner) accounts. | This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. |
Wed, 15 Oct 2025 13:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Weaknesses | CWE-284 |
Wed, 15 Oct 2025 13:00:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Weaknesses | CWE-639 |
Fri, 18 Jul 2025 19:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Openwebui
Openwebui open Webui |
|
| CPEs | cpe:2.3:a:openwebui:open_webui:0.3.8:*:*:*:*:*:*:* | |
| Vendors & Products |
Openwebui
Openwebui open Webui |
Thu, 20 Mar 2025 19:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
ssvc
|
Thu, 20 Mar 2025 10:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | In version v0.3.8 of open-webui/open-webui, there is an improper access control vulnerability. On the frontend admin page, administrators are intended to view only the chats of non-admin members. However, by modifying the user_id parameter, it is possible to view the chats of any administrator, including those of other admin (owner) accounts. | |
| Title | Improper Access Control in open-webui/open-webui | |
| Weaknesses | CWE-284 | |
| References |
| |
| Metrics |
cvssV3_0
|
Status: REJECTED
Assigner: @huntr_ai
Published:
Updated: 2026-07-16T15:37:19.029Z
Reserved: 2024-07-23T17:55:03.324Z
Link: CVE-2024-7040
Updated:
Status : Modified
Published: 2025-03-20T10:15:35.607
Modified: 2026-06-17T08:19:14.913
Link: CVE-2024-7040
No data.
OpenCVE Enrichment
Updated: 2025-07-12T22:44:52Z
EUVD