danswer-ai danswer up to 0.3.94 access control

Summaryinfo

A vulnerability has been found in danswer-ai danswer up to 0.3.94 and classified as critical. Affected is an unknown function. Performing a manipulation results in access control. This vulnerability is reported as CVE-2024-7767. The attack is possible to be carried out remotely. No exploit exists.

Detailsinfo

A vulnerability, which was classified as critical, was found in danswer-ai danswer up to 0.3.94. This affects an unknown part. The manipulation with an unknown input leads to a access control vulnerability. CWE is classifying the issue as CWE-284. The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. This is going to have an impact on confidentiality. The summary by CVE is:

An improper access control vulnerability exists in danswer-ai/danswer version v0.3.94. This vulnerability allows the first user created in the system to view, modify, and delete chats created by an Admin. This can lead to unauthorized access to sensitive information, loss of data integrity, and potential compliance violations.

It is possible to read the advisory at huntr.com. This vulnerability is uniquely identified as CVE-2024-7767 since 08/13/2024. The exploitability is told to be easy. It is possible to initiate the attack remotely. The technical details are unknown and an exploit is not publicly available. The pricing for an exploit might be around USD $0-$5k at the moment (estimation calculated on 10/16/2025). The attack technique deployed by this issue is T1068 according to MITRE ATT&CK.

There is no information about possible countermeasures known. It may be suggested to replace the affected object with an alternative product.

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Productinfo

Type

• Artificial Intelligence Software

Vendor

• danswer-ai

Name

• danswer

Version

• 0.3.0
• 0.3.1
• 0.3.2
• 0.3.3
• 0.3.4
• 0.3.5
• 0.3.6
• 0.3.7
• 0.3.8
• 0.3.9
• 0.3.10
• 0.3.11
• 0.3.12
• 0.3.13
• 0.3.14
• 0.3.15
• 0.3.16
• 0.3.17
• 0.3.18
• 0.3.19
• 0.3.20
• 0.3.21
• 0.3.22
• 0.3.23
• 0.3.24
• 0.3.25
• 0.3.26
• 0.3.27
• 0.3.28
• 0.3.29
• 0.3.30
• 0.3.31
• 0.3.32
• 0.3.33
• 0.3.34
• 0.3.35
• 0.3.36
• 0.3.37
• 0.3.38
• 0.3.39
• 0.3.40
• 0.3.41
• 0.3.42
• 0.3.43
• 0.3.44
• 0.3.45
• 0.3.46
• 0.3.47
• 0.3.48
• 0.3.49
• 0.3.50
• 0.3.51
• 0.3.52
• 0.3.53
• 0.3.54
• 0.3.55
• 0.3.56
• 0.3.57
• 0.3.58
• 0.3.59
• 0.3.60
• 0.3.61
• 0.3.62
• 0.3.63
• 0.3.64
• 0.3.65
• 0.3.66
• 0.3.67
• 0.3.68
• 0.3.69
• 0.3.70
• 0.3.71
• 0.3.72
• 0.3.73
• 0.3.74
• 0.3.75
• 0.3.76
• 0.3.77
• 0.3.78
• 0.3.79
• 0.3.80
• 0.3.81
• 0.3.82
• 0.3.83
• 0.3.84
• 0.3.85
• 0.3.86
• 0.3.87
• 0.3.88
• 0.3.89
• 0.3.90
• 0.3.91
• 0.3.92
• 0.3.93
• 0.3.94

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Discussion