cve/2024/CVE-2024-9617.md

### [CVE-2024-9617](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9617)
![](https://img.shields.io/static/v1?label=Product&message=danswer-ai%2Fdanswer&color=blue)
![](https://img.shields.io/static/v1?label=Version&message=unspecified%20&color=brightgreen)
![](https://img.shields.io/static/v1?label=Vulnerability&message=CWE-284%20Improper%20Access%20Control&color=brightgreen)

### Description

An IDOR vulnerability in danswer-ai/danswer v0.3.94 allows an attacker to view any files. The application does not verify whether the attacker is the creator of the file, allowing the attacker to directly call the GET /api/chat/file/{file_id} interface to view any user's file.

### POC

#### Reference
No PoCs from references.

#### Github
- https://github.com/20142995/nuclei-templates
- https://github.com/cyb3r-w0lf/nuclei-template-collection
Update CVE list 2025-09-29 21:09 2025-09-29 21:09:30 +02:00			`### [CVE-2024-9617](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9617)`
			`![](https://img.shields.io/static/v1?label=Product&message=danswer-ai%2Fdanswer&color=blue)`
			`![](https://img.shields.io/static/v1?label=Version&message=unspecified%20&color=brightgreen)`
			`![](https://img.shields.io/static/v1?label=Vulnerability&message=CWE-284%20Improper%20Access%20Control&color=brightgreen)`

			`### Description`

			`An IDOR vulnerability in danswer-ai/danswer v0.3.94 allows an attacker to view any files. The application does not verify whether the attacker is the creator of the file, allowing the attacker to directly call the GET /api/chat/file/{file_id} interface to view any user's file.`

			`### POC`

			`#### Reference`
			`No PoCs from references.`

			`#### Github`
			`- https://github.com/20142995/nuclei-templates`
			`- https://github.com/cyb3r-w0lf/nuclei-template-collection`