CVE-2024-7040 is an authorization bypass vulnerability classified under CWE-639 (Authorization Bypass Through User-Controlled Key) affecting the open-webui/open-webui project, specifically version v0.3.8. The vulnerability arises from improper access control on the frontend admin page, where administrators are intended to view only chats of non-admin users. However, by manipulating the user_id parameter, an attacker with administrator privileges can access chat histories of other administrators, including owner accounts. This flaw stems from insufficient validation of user_id inputs and inadequate enforcement of access restrictions on sensitive data. The vulnerability does not require user interaction but does require the attacker to have administrator-level privileges, which limits the attack surface but increases the severity of the breach if exploited. The CVSS 3.0 vector (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N) indicates network attack vector, low attack complexity, high privileges required, no user interaction, unchanged scope, high confidentiality impact, no integrity or availability impact. No patches or known exploits are currently available, but the exposure of administrator chat data can lead to significant confidentiality breaches, potentially leaking sensitive operational or strategic information.

For European organizations, the primary impact is the unauthorized disclosure of sensitive administrator communications, which can compromise operational security and privacy compliance obligations under regulations such as GDPR. The exposure of admin chats could reveal internal decision-making, security configurations, or personal data, leading to reputational damage and regulatory penalties. Organizations relying on open-webui for internal communication or administrative interfaces face risks of insider threats or lateral movement if an attacker gains admin credentials. Although exploitation requires admin privileges, compromised or malicious administrators could leverage this vulnerability to escalate access to sensitive information. The medium severity rating reflects the balance between required privileges and the high confidentiality impact. The vulnerability does not affect system integrity or availability, but the confidentiality breach alone is significant for sectors handling sensitive data, such as finance, healthcare, and government entities in Europe.

European organizations using open-webui should immediately audit their deployments to identify affected versions and restrict administrator access to trusted personnel only. Implement strict input validation and access control checks on the user_id parameter within the admin frontend to ensure that administrators can only view chats of non-admin users as intended. If possible, disable or limit the frontend admin chat viewing functionality until a patch or update is released. Monitor administrator activities and access logs for unusual patterns indicating attempts to manipulate user_id parameters. Employ multi-factor authentication and role-based access controls to reduce the risk of compromised admin accounts. Engage with the open-webui community or vendor to track patch releases and apply updates promptly once available. Additionally, conduct regular security assessments and penetration tests focusing on authorization controls in administrative interfaces.