CVE-2024-7767

CVE-2024-7767 is an improper access control vulnerability (CWE-862) in danswer-ai/danswer version v0.3.94. It enables the first user created in the system to view, modify, and delete chats created by an Admin, potentially exposing sensitive information, compromising data integrity, and causing compliance issues. The vulnerability carries a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N), indicating high severity due to network accessibility, low attack complexity, and requirements for only low privileges.

An attacker with low-privileged access as the first user registered in the system can exploit this over the network without user interaction. Successful exploitation grants unauthorized viewing, modification, or deletion of Admin-created chats, leading to high-impact confidentiality breaches (e.g., access to sensitive data) and integrity violations (e.g., tampering with chat history), though availability remains unaffected.

Mitigation details are available in advisories published via Huntr, including at https://huntr.com/bounties/1425dada-72d8-4bd9-a3e7-2863bb3e1a6c. Security practitioners should review these for patch information or workarounds specific to danswer-ai/danswer v0.3.94 and upgrade promptly.

This issue affects an open-source AI-powered search and answering platform, highlighting access control risks in AI/ML deployments where user-generated chats may contain proprietary or sensitive data. No public evidence of real-world exploitation is noted as of the CVE publication on 2025-03-20.