CVE-2024-7039 identifies an improper authorization vulnerability (CWE-863) in open-webui/open-webui version v0.3.8, where the API endpoint responsible for user management (specifically DELETE requests to /api/v1/users/{uuid_administrator}) does not enforce sufficient privilege checks. While the user interface restricts deletion of other administrator accounts, the API itself allows an authenticated admin user to bypass these restrictions and delete other admins directly. This vulnerability arises from a failure in privilege management and authorization logic at the API layer, enabling privilege escalation or abuse within the administrative user base. The vulnerability requires the attacker to have legitimate admin credentials, but no additional user interaction is necessary. The CVSS 3.0 score of 8.3 reflects the network attack vector (AV:N), low attack complexity (AC:L), privileges required (PR:L), no user interaction (UI:N), unchanged scope (S:U), and high impact on confidentiality and integrity (C:H/I:H) with low impact on availability (A:L). Although no public exploits are currently known, the vulnerability poses a significant risk to the integrity of administrative controls and could lead to loss of administrative access or unauthorized privilege revocation. The lack of patch links suggests that a fix may not yet be available, increasing urgency for mitigation. This vulnerability underscores the critical need for robust authorization checks at the API level, especially for sensitive administrative operations.

For European organizations, this vulnerability could lead to unauthorized deletion of administrator accounts within open-webui deployments, compromising administrative control and potentially leading to denial of management access or unauthorized privilege changes. This could disrupt operations, especially in environments where open-webui is used for critical system management or internal tooling. The confidentiality of administrative user data is at risk, as is the integrity of user management processes. Given the high CVSS score and the ability to exploit the vulnerability remotely over the network with valid admin credentials, attackers who gain or already have admin access could escalate their privileges or sabotage administrative functions. This risk is particularly acute for sectors with stringent regulatory requirements around access control and auditability, such as finance, healthcare, and government institutions in Europe. The absence of known exploits reduces immediate risk but does not eliminate the threat, especially if attackers develop exploits or insider threats exploit this flaw. Organizations relying on open-webui should consider this vulnerability a critical risk to their identity and access management security posture.

1. Immediately restrict API access to the /api/v1/users/{uuid_administrator} endpoint to only the most trusted administrators and monitor all calls to this endpoint for suspicious activity. 2. Implement additional server-side authorization checks to ensure that even authenticated admins cannot delete other administrators unless explicitly permitted by policy. 3. Employ role-based access control (RBAC) or attribute-based access control (ABAC) mechanisms to enforce fine-grained permissions on administrative actions. 4. If possible, disable or limit API access for user management functions until a vendor patch or official fix is released. 5. Conduct thorough logging and auditing of all administrative API calls to detect and respond to unauthorized privilege changes quickly. 6. Educate administrators about the risk of sharing credentials and enforce strong authentication methods such as multi-factor authentication (MFA) to reduce the risk of credential compromise. 7. Monitor vendor communications for patches or updates addressing this vulnerability and apply them promptly once available. 8. Consider deploying Web Application Firewalls (WAFs) with custom rules to block unauthorized DELETE requests targeting admin user management endpoints. 9. Review and harden the overall API security posture, including input validation, authentication, and authorization controls, to prevent similar issues.