CVE-2024-7043 is an improper access control vulnerability classified under CWE-862 affecting open-webui/open-webui version 0.3.8. The vulnerability arises because the application does not enforce proper authorization checks on its file management REST API endpoints. Specifically, the GET /api/v1/files/ endpoint allows an attacker to list all files uploaded by users, exposing their IDs. Subsequently, the attacker can use GET /api/v1/files/{file_id} to obtain detailed information about any file and DELETE /api/v1/files/{file_id} to remove any file from the system. The critical issue is that these operations do not require the attacker to have administrator privileges, only limited privileges (PR:L in CVSS), and no user interaction is needed (UI:N). The vulnerability is remotely exploitable over the network (AV:N) with low attack complexity (AC:L). The CVSS 3.0 score of 8.1 reflects the high impact on confidentiality and integrity, as unauthorized users can access and delete sensitive files, potentially leading to data breaches and disruption of services. No patches or fixes are currently linked, and no known exploits are reported in the wild, but the risk remains significant given the ease of exploitation and the sensitive nature of the data involved. Organizations using open-webui should urgently assess their exposure and implement access control mechanisms to prevent unauthorized API calls.

For European organizations, this vulnerability can lead to unauthorized disclosure and deletion of sensitive files managed through open-webui, impacting confidentiality and integrity of critical data. This could disrupt business operations, cause data loss, and potentially violate data protection regulations such as GDPR if personal or sensitive data is exposed or deleted. The lack of proper authorization checks means that even low-privileged users or attackers who gain limited access could escalate their impact significantly. Sectors relying on open-webui for internal or external file management, including government, healthcare, finance, and technology companies, face increased risk of operational disruption and reputational damage. The vulnerability could also be leveraged as a foothold for further attacks if attackers delete critical configuration or log files, complicating incident response and recovery efforts.

1. Immediately restrict access to the affected API endpoints to trusted administrators only, using network-level controls such as IP whitelisting or VPNs. 2. Implement robust authorization checks within the application to verify that only users with appropriate administrative privileges can list, view, or delete files. 3. Monitor API usage logs for unusual patterns, such as bulk file enumeration or deletion attempts, and set up alerts for suspicious activities. 4. If possible, disable the vulnerable endpoints temporarily until a patch or update is available. 5. Conduct a thorough audit of files accessed or deleted recently to identify potential data breaches or tampering. 6. Educate developers and administrators on secure API design and the importance of enforcing access controls. 7. Follow up with the open-webui project for official patches or updates and apply them promptly once released. 8. Consider deploying Web Application Firewalls (WAFs) with custom rules to block unauthorized API calls targeting these endpoints.