CVE-2024-7767: Improper Access Control in danswer-ai/danswer

Published Mar 20, 2025
·
Updated

An improper access control vulnerability exists in danswer-ai/danswer version v0.3.94. This vulnerability allows the first user created in the system to view, modify, and delete chats created by an Admin. This can lead to unauthorized access to sensitive information, loss of data integrity, and potential compliance violations.

Affected Software

2 affected components
danswer-ai danswer
Onyx onyx=0.3.94

Event History

Mar 20, 2025
CVE Published
via MITRE·10:11 AM
Data Sourced
via MITRE·10:11 AM
DescriptionSeverityWeakness
Data Sourced
via NVD·10:15 AM
DescriptionSeverityWeaknessAffected Software
Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

Frequently Asked Questions

1

What is the severity of CVE-2024-7767?

CVE-2024-7767 is classified as a high severity vulnerability due to its potential for unauthorized data access and manipulation.

2

How do I fix CVE-2024-7767?

To fix CVE-2024-7767, upgrade to the latest version of danswer-ai/danswer that includes access control enhancements.

3

What impact does CVE-2024-7767 have on my data?

CVE-2024-7767 can lead to unauthorized users gaining access to sensitive chats, potentially resulting in data breaches or loss.

4

Who is affected by CVE-2024-7767?

Users of danswer-ai/danswer version v0.3.94 are affected by CVE-2024-7767 due to flawed access controls.

5

Is there a workaround for CVE-2024-7767 until I can patch?

As of now, the best approach is to minimize user privileges until a patch for CVE-2024-7767 is applied.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2026 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203