CVE-2024-7034 — MEDIUM (CVSS 6.5) AI Security Vulnerability

Q: Is CVE-2024-7034 actively exploited?

No confirmed active exploitation of CVE-2024-7034 has been reported, but organizations should still patch proactively.

Q: How to fix CVE-2024-7034?

1. PATCH: Upgrade open-webui to a version > 0.3.8 — verify the specific patched version in the release notes before deploying. 2. WORKAROUND (if unpatched): Block or restrict access to the /models/upload endpoint at the reverse proxy layer (Nginx/Caddy rule: deny POST to /models/upload from non-admin IPs). 3. HARDEN: Enforce filename sanitization at the OS level using a restricted upload directory with no symlinks and a chroot/container boundary. 4. DETECT: Alert on file writes outside UPLOAD_DIR using auditd rules (auditctl -w /etc -p wa) or EDR file integrity monitoring. 5. AUDIT: Review existing uploaded files for path traversal payloads (filenames containing ../ or absolute paths in the uploads table/directory).

CISO Take

Any user with upload privileges on open-webui <= 0.3.8 can overwrite arbitrary files on the host system via crafted filenames in the /models/upload endpoint, potentially achieving remote code execution. Upgrade immediately or disable the upload endpoint if no patch is available. Treat any open-webui instance with multiple users or internet exposure as compromised until patched.

Risk Assessment

CVSS 6.5 understates operational risk. While PR:H limits mass exploitation, open-webui is typically deployed with multiple trusted users (data scientists, ML engineers) who have upload access — making the 'high privilege' bar effectively low in practice. The integrity and availability impact is HIGH, and file overwrite primitives routinely escalate to RCE via cron jobs, SSH authorized_keys, or application config. Internet-exposed open-webui instances are particularly at risk. EPSS of ~3% indicates limited active exploitation currently, but path traversal exploits are well within script-kiddie capability.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
open-webui	pip	<= 0.3.8	No patch
135.3K Pushed 8d ago 58% patched ~9d to patch Full package profile →

Do you use open-webui? You're affected.

Severity & Risk

CVSS 3.1

6.5 / 10

EPSS

6.7%

chance of exploitation in 30 days

Higher than 91% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Network

AC Low

PR High

UI None

S Unchanged

C None

I High

A High

Recommended Action

5 steps

PATCH

Upgrade open-webui to a version > 0.3.8 — verify the specific patched version in the release notes before deploying.
WORKAROUND (if unpatched): Block or restrict access to the /models/upload endpoint at the reverse proxy layer (Nginx/Caddy rule: deny POST to /models/upload from non-admin IPs).
HARDEN

Enforce filename sanitization at the OS level using a restricted upload directory with no symlinks and a chroot/container boundary.
DETECT

Alert on file writes outside UPLOAD_DIR using auditd rules (auditctl -w /etc -p wa) or EDR file integrity monitoring.
AUDIT

Review existing uploaded files for path traversal payloads (filenames containing ../ or absolute paths in the uploads table/directory).

CISA SSVC Assessment

Decision Track*

Exploitation poc

Automatable No

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Code Execution Supply Chain Framework Inference API AML.T0010.001 - AI Software AML.T0018.002 - Embed Malware AML.T0049 - Exploit Public-Facing Application AML.T0072 - Reverse Shell

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

8.4 - AI system technical controls

NIST AI RMF

MANAGE 2.2 - Mechanisms to sustain the value of deployed AI

OWASP LLM Top 10

LLM03 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2024-7034?

Any user with upload privileges on open-webui <= 0.3.8 can overwrite arbitrary files on the host system via crafted filenames in the /models/upload endpoint, potentially achieving remote code execution. Upgrade immediately or disable the upload endpoint if no patch is available. Treat any open-webui instance with multiple users or internet exposure as compromised until patched.

Is CVE-2024-7034 actively exploited?

No confirmed active exploitation of CVE-2024-7034 has been reported, but organizations should still patch proactively.

How to fix CVE-2024-7034?

1. PATCH: Upgrade open-webui to a version > 0.3.8 — verify the specific patched version in the release notes before deploying. 2. WORKAROUND (if unpatched): Block or restrict access to the /models/upload endpoint at the reverse proxy layer (Nginx/Caddy rule: deny POST to /models/upload from non-admin IPs). 3. HARDEN: Enforce filename sanitization at the OS level using a restricted upload directory with no symlinks and a chroot/container boundary. 4. DETECT: Alert on file writes outside UPLOAD_DIR using auditd rules (auditctl -w /etc -p wa) or EDR file integrity monitoring. 5. AUDIT: Review existing uploaded files for path traversal payloads (filenames containing ../ or absolute paths in the uploads table/directory).

What systems are affected by CVE-2024-7034?

This vulnerability affects the following AI/ML architecture patterns: model serving, local LLM deployments, ML workstations and research infrastructure, shared GPU inference clusters, open-webui + Ollama stacks.

What is the CVSS score for CVE-2024-7034?

CVE-2024-7034 has a CVSS v3.1 base score of 6.5 (MEDIUM). The EPSS exploitation probability is 6.73%.

Technical Details

NVD Description

In open-webui version 0.3.8, the endpoint `/models/upload` is vulnerable to arbitrary file write due to improper handling of user-supplied filenames. The vulnerability arises from the usage of `file_path = f"{UPLOAD_DIR}/{file.filename}"` without proper input validation or sanitization. An attacker can exploit this by manipulating the `file.filename` parameter to include directory traversal sequences, causing the resulting `file_path` to escape the intended `UPLOAD_DIR` and potentially overwrite arbitrary files on the system. This can lead to unauthorized modifications of system binaries, configuration files, or sensitive data, potentially enabling remote command execution.

Exploitation Scenario

An attacker with a legitimate open-webui account (e.g., a researcher or developer) crafts a multipart POST to /api/models/upload with Content-Disposition: form-data; name='file'; filename='../../.ssh/authorized_keys'. The server constructs the path as {UPLOAD_DIR}/../../.ssh/authorized_keys and writes attacker-controlled content, adding their public SSH key. Alternatively, the attacker targets /etc/cron.d/backdoor to establish persistence or overwrites a Python package in site-packages to inject malicious code into the model serving stack. In a shared GPU cluster deployment, this single exploit compromises the entire model inference infrastructure for all teams.