CVE-2024-12537

High CVSS: 7.5

In version 0.3.32 of open-webui/open-webui, the absence of authentication mechanisms allows any unauthenticated attacker to access the `api/v1/utils/code/format` endpoint. If a malicious actor sends a POST request with an excessively high volume of content, the server could become completely unresponsive. This could lead to severe performance issues, causing the server to become unresponsive or experience significant degradation, ultimately resulting in service interruptions for legitimate users.

Vendor

Openwebui

Product

Open Webui

CWE

CWE-770

Yayın Tarihi

2025-03-20 10:15:29

Güncelleme

2025-04-04 09:15:15

Source Identifier

security@huntr.dev

KEV Date Added

Kategoriler

CWE-770 Open Webui HIGH Openwebui 2025

Referanslar

https://huntr.com/bounties/edabd06c-acc0-428c-a481-271f333755bc https://huntr.com/bounties/edabd06c-acc0-428c-a481-271f333755bc

Benzer Kayıtlar

Medium

CVE-2026-28786

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to version 0.8.…

High

CVE-2026-28788

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to version 0.8.…

Medium

CVE-2026-29070

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to version 0.8.…

Low

CVE-2026-29071

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to version 0.8.…

High

CVE-2026-26192

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to version 0.7.…

High

CVE-2026-26193

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to version 0.6.…