AI Threat Alert
CVE-2024-12534: open-webui: unauthenticated DoS via login payload flood
GHSA-g3mx-83mp-3rwc HIGH CISA: TRACK*Any internet-exposed open-webui instance on v0.3.32 or earlier can be taken offline by an unauthenticated attacker submitting oversized strings to the login endpoint—no credentials needed. If your team uses open-webui as a gateway to internal LLMs (Ollama, OpenAI-compatible backends), this means full service disruption with a trivial HTTP request. Patch or gate the endpoint behind a WAF/reverse proxy with body-size limits immediately.
What is the risk?
Practical risk is HIGH for exposed deployments despite the low EPSS (0.00162). The attack is trivially reproducible—a single curl command with a multi-MB payload suffices. Attack surface is any public or intranet-facing open-webui login page, which is common in enterprise AI sandbox environments. No authentication barrier, no rate limit bypass needed. The saving grace is that open-webui is typically deployed internally, reducing external exposure, but lateral-movement scenarios from a compromised internal host are realistic.
What systems are affected?
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| Open WebUI | npm | <= 0.3.32 | No patch |
| Open WebUI | pip | <= 0.3.32 | No patch |
How severe is it?
What is the attack surface?
What should I do?
5 steps-
PATCH
Upgrade open-webui to any version > 0.3.32 once available; monitor the GitHub advisory GHSA-g3mx-83mp-3rwc for patch release.
-
IMMEDIATE WORKAROUND
Add nginx/Apache
client_max_body_size 1mupstream of open-webui to reject oversized bodies at the reverse proxy layer. -
RATE LIMIT
Apply rate limiting on the
/api/v1/auths/signinendpoint (e.g., 10 req/min per IP via nginxlimit_req). -
NETWORK CONTROL
Restrict open-webui access to trusted IP ranges or require VPN—this eliminates unauthenticated external exposure entirely.
-
DETECT
Alert on POST requests to sign-in endpoint with Content-Length > 10KB or request processing time > 5s.
What does CISA's SSVC say?
Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.
How is it classified?
Which compliance frameworks are affected?
This CVE is relevant to:
Frequently Asked Questions
What is CVE-2024-12534?
Any internet-exposed open-webui instance on v0.3.32 or earlier can be taken offline by an unauthenticated attacker submitting oversized strings to the login endpoint—no credentials needed. If your team uses open-webui as a gateway to internal LLMs (Ollama, OpenAI-compatible backends), this means full service disruption with a trivial HTTP request. Patch or gate the endpoint behind a WAF/reverse proxy with body-size limits immediately.
Is CVE-2024-12534 actively exploited?
No confirmed active exploitation of CVE-2024-12534 has been reported, but organizations should still patch proactively.
How to fix CVE-2024-12534?
1. PATCH: Upgrade open-webui to any version > 0.3.32 once available; monitor the GitHub advisory GHSA-g3mx-83mp-3rwc for patch release. 2. IMMEDIATE WORKAROUND: Add nginx/Apache `client_max_body_size 1m` upstream of open-webui to reject oversized bodies at the reverse proxy layer. 3. RATE LIMIT: Apply rate limiting on the `/api/v1/auths/signin` endpoint (e.g., 10 req/min per IP via nginx `limit_req`). 4. NETWORK CONTROL: Restrict open-webui access to trusted IP ranges or require VPN—this eliminates unauthenticated external exposure entirely. 5. DETECT: Alert on POST requests to sign-in endpoint with Content-Length > 10KB or request processing time > 5s.
What systems are affected by CVE-2024-12534?
This vulnerability affects the following AI/ML architecture patterns: LLM serving, AI chatbot platforms, Ollama deployments, Internal AI developer tooling.
What is the CVSS score for CVE-2024-12534?
CVE-2024-12534 has a CVSS v3.1 base score of 7.5 (HIGH). The EPSS exploitation probability is 0.81%.
What is the AI security impact?
Affected AI Architectures
MITRE ATLAS Techniques
AML.T0029 Denial of AI Service AML.T0034 Cost Harvesting AML.T0049 Exploit Public-Facing Application Compliance Controls Affected
What are the technical details?
Original Advisory
In version v0.3.32 of open-webui/open-webui, the application allows users to submit large payloads in the email and password fields during the sign-in process due to the lack of character length validation on these inputs. This vulnerability can lead to a Denial of Service (DoS) condition when a user submits excessively large strings, exhausting server resources such as CPU, memory, and disk space, and rendering the service unavailable for legitimate users. This makes the server susceptible to resource exhaustion attacks without requiring authentication.
Exploitation Scenario
An adversary targeting an organization's internal AI platform identifies an exposed open-webui instance via Shodan or internal network scan. They craft a single HTTP POST to `/api/v1/auths/signin` with a 50MB string in the `password` field. The server begins processing the oversized payload—hashing the password candidate, logging the attempt, writing to disk—exhausting available memory and CPU. Within seconds, the server becomes unresponsive. Legitimate users—security analysts, developers, or automated AI pipelines—lose access to all LLM models proxied through open-webui. The attacker repeats the request via a script to maintain the outage, requiring no authentication and leaving minimal forensic trace beyond access logs showing large POST bodies.
Weaknesses (CWE)
CWE-400 — Uncontrolled Resource Consumption: The product does not properly control the allocation and maintenance of a limited resource.
- [Architecture and Design] Design throttling mechanisms into the system architecture. The best protection is to limit the amount of resources that an unauthorized user can cause to be expended. A strong authentication and access control model will help prevent such attacks from occurring in the first place. The login application should be protected against DoS attacks as much as possible. Limiting the database access, perhaps by caching result sets, can help minimize the resources expended. To further limit the potential for a DoS attack, consider tracking the rate of requests received from users and blocking requests that exceed a defined rate threshold.
- [Architecture and Design] Mitigation of resource exhaustion attacks requires that the target system either: The first of these solutions is an issue in itself though, since it may allow attackers to prevent the use of the system by a particular valid user. If the attacker impersonates the valid user, they may be able to prevent the user from accessing the server in question. The second solution is simply difficult to effectively institute -- and even when properly done, it does not provide a full solution. It simply makes the attack require more resources on the part of the attacker. recognizes the attack and denies that user further access for a given amount of time, or uniformly throttles all requests in order to make it more difficult to consume resources more quickly than they can again be freed.
Source: MITRE CWE corpus.
CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H References
Timeline
Related Vulnerabilities
CVE-2026-44551 9.1 open-webui: LDAP auth bypass — full account takeover
Same package: open-webui CVE-2026-45672 8.8 open-webui: code exec gate bypass via API endpoint
Same package: open-webui CVE-2025-64495 8.7 Open WebUI: XSS-to-RCE via malicious prompt injection
Same package: open-webui CVE-2026-44552 8.7 open-webui: Redis cache poisoning enables cross-instance tool hijack
Same package: open-webui CVE-2026-45315 8.7 open-webui: stored XSS → JWT theft and admin takeover
Same package: open-webui