AI Threat Alert
CVE-2024-4839: lollms-webui: CSRF allows unauthorized AI service install
LOW PoC AVAILABLE CISA: TRACK*If your team uses lollms-webui for local LLM experimentation or internal AI tooling, this CSRF flaw lets attackers trick authenticated admins into silently installing AI services (XTTS, vLLM, Petals) via a crafted web page. The practical risk is unauthorized AI inference components being added to your environment without consent. Patch to the latest version and restrict the configuration interface to localhost or trusted networks only.
Risk Assessment
CVSS 3.3 (Low) accurately reflects the limited blast radius: local attack vector, requires user interaction, no confidentiality impact. However, contextual risk is moderately elevated in AI development environments where lollms-webui runs with broad permissions and administrators may browse untrusted sites from the same machine. The ability to silently install AI services introduces unvetted compute-intensive components and potential supply chain exposure, which matters more in regulated or production-adjacent environments than the raw score suggests.
Affected Systems
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| lollms-webui | pip | — | No patch |
Do you use lollms-webui? You're affected.
Severity & Risk
Attack Surface
Recommended Action
5 steps-
Patch: Update lollms-webui to the latest available version where CSRF tokens have been applied to configuration endpoints.
-
Network segmentation: Bind the lollms-webui interface to 127.0.0.1 only; never expose admin endpoints to untrusted networks.
-
Browser hygiene: Warn users not to browse untrusted sites while lollms-webui is running in the same browser session.
-
Audit: Review currently installed services in existing deployments (check /etc/lollms or equivalent service directories) for unexpected additions.
-
Detection: Monitor for unexpected process launches (xtts-server, vllm, petals) and unusual outbound network connections from the host running lollms-webui.
CISA SSVC Assessment
Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.
Classification
Compliance Impact
This CVE is relevant to:
Frequently Asked Questions
What is CVE-2024-4839?
If your team uses lollms-webui for local LLM experimentation or internal AI tooling, this CSRF flaw lets attackers trick authenticated admins into silently installing AI services (XTTS, vLLM, Petals) via a crafted web page. The practical risk is unauthorized AI inference components being added to your environment without consent. Patch to the latest version and restrict the configuration interface to localhost or trusted networks only.
Is CVE-2024-4839 actively exploited?
Proof-of-concept exploit code is publicly available for CVE-2024-4839, increasing the risk of exploitation.
How to fix CVE-2024-4839?
1. Patch: Update lollms-webui to the latest available version where CSRF tokens have been applied to configuration endpoints. 2. Network segmentation: Bind the lollms-webui interface to 127.0.0.1 only; never expose admin endpoints to untrusted networks. 3. Browser hygiene: Warn users not to browse untrusted sites while lollms-webui is running in the same browser session. 4. Audit: Review currently installed services in existing deployments (check /etc/lollms or equivalent service directories) for unexpected additions. 5. Detection: Monitor for unexpected process launches (xtts-server, vllm, petals) and unusual outbound network connections from the host running lollms-webui.
What systems are affected by CVE-2024-4839?
This vulnerability affects the following AI/ML architecture patterns: local AI development environments, LLM inference servers, AI model serving.
What is the CVSS score for CVE-2024-4839?
CVE-2024-4839 has a CVSS v3.1 base score of 3.3 (LOW). The EPSS exploitation probability is 0.03%.
Technical Details
NVD Description
A Cross-Site Request Forgery (CSRF) vulnerability exists in the 'Servers Configurations' function of the parisneo/lollms-webui, versions 9.6 to the latest. The affected functions include Elastic search Service (under construction), XTTS service, Petals service, vLLM service, and Motion Ctrl service, which lack CSRF protection. This vulnerability allows attackers to deceive users into unwittingly installing the XTTS service among other packages by submitting a malicious installation request. Successful exploitation results in attackers tricking users into performing actions without their consent.
Exploitation Scenario
An attacker targeting a data science team creates a malicious website containing a hidden HTML form that auto-submits a POST request to http://localhost:9600/install_service with payload {"service": "xtts"}. When a developer who has lollms-webui open in the same browser visits a phishing link (e.g., disguised as a research paper or a meme link on Slack), their browser sends the request with active session cookies. lollms-webui, lacking CSRF validation, processes the request and begins downloading and installing the XTTS service in the background. The developer sees no prompt; the attacker has now introduced an AI speech-synthesis service running locally with whatever network access lollms-webui has.
Weaknesses (CWE)
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N References
- huntr.com/bounties/dcfc5a07-0427-42b5-a623-8d943873d7ff Exploit 3rd Party
- github.com/fkie-cad/nvd-json-data-feeds Exploit
Timeline
Related Vulnerabilities
CVE-2026-1115 9.6 lollms: Stored XSS enables wormable account takeover
Same package: lollms CVE-2024-6982 8.4 lollms: RCE via eval() sandbox bypass in Calculate
Same package: lollms CVE-2026-1117 8.2 lollms: Access Control bypass enables privilege escalation
Same package: lollms CVE-2025-6386 7.5 lollms: timing attack enables credential enumeration
Same package: lollms CVE-2024-6581 6.5 Lollms: SVG upload XSS enables session hijack and RCE
Same package: lollms