CVE-2024-7046 identifies a missing authorization vulnerability (CWE-862) in the open-webui project, specifically version 0.3.8. The vulnerability arises because the application fails to verify whether the requester is an authorized administrator before allowing access to the /api/v1/auths/admin/details API endpoint. This endpoint returns sensitive information about the first administrator (owner) of the system. The flaw allows an attacker with limited privileges (PR:L) to retrieve admin details without proper authentication or authorization checks, potentially exposing usernames, emails, or other identifying information. The vulnerability is remotely exploitable over the network (AV:N) without user interaction (UI:N), but requires some level of privileges, indicating that the attacker must have at least a limited authenticated session or access to the system. The CVSS 3.0 base score is 4.3 (medium severity), reflecting the limited confidentiality impact and no impact on integrity or availability. No patches or fixes have been released at the time of publication, and no known exploits have been observed in the wild. This vulnerability could be leveraged as a reconnaissance step to facilitate further attacks such as privilege escalation or targeted phishing against administrators.

For European organizations, the exposure of administrator details can increase the risk of targeted attacks, including social engineering, credential stuffing, or privilege escalation attempts. Although the vulnerability itself does not allow direct system compromise or data modification, the leakage of admin information undermines the confidentiality of critical user data and can serve as a stepping stone for more severe attacks. Organizations relying on open-webui for internal or external web interfaces may face increased risk if attackers gain limited access to the system. This is particularly concerning for sectors with high-value targets such as finance, government, healthcare, and critical infrastructure, where administrator accounts often have elevated privileges. The absence of patches means organizations must rely on mitigating controls until an official fix is available. The medium severity rating suggests a moderate but non-negligible risk that should be addressed promptly to avoid escalation.

1. Immediately restrict access to the /api/v1/auths/admin/details endpoint using network-level controls such as firewalls or API gateways to limit exposure only to trusted IP addresses or internal networks. 2. Implement strict authentication and authorization checks at the application level to ensure only verified administrators can access sensitive admin endpoints. 3. Monitor logs for any unauthorized or suspicious access attempts to admin-related APIs to detect potential reconnaissance activities. 4. Use web application firewalls (WAFs) with custom rules to block unauthorized API calls targeting admin endpoints. 5. If possible, disable or remove the vulnerable endpoint until a patch is released. 6. Educate administrators and users about phishing and social engineering risks that could arise from leaked admin information. 7. Stay updated with the open-webui project for official patches and apply them promptly once available. 8. Conduct regular security assessments and penetration tests focusing on access control mechanisms in web applications.