CVE-2024-7038 — LOW (CVSS 2.7) AI Security Vulnerability

Q: Is CVE-2024-7038 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2024-7038, increasing the risk of exploitation.

Q: How to fix CVE-2024-7038?

1. Upgrade open-webui beyond 0.3.8 — no official patched version is listed in NVD at time of publication, monitor the repo for a fix. 2. Enforce MFA on all admin accounts accessing open-webui — this is the primary control given PR:H requirement. 3. Run open-webui with a least-privilege service account that has read access only to model directories, limiting filesystem enumeration value. 4. Deploy open-webui behind a reverse proxy with admin paths (/admin/*) restricted to internal networks or VPN. 5. Detection: Log all admin-triggered embedding model path changes and alert on high-frequency or unusual path values (e.g., /etc/, /root/, /home/) in admin activity logs.

Q: What systems are affected by CVE-2024-7038?

This vulnerability affects the following AI/ML architecture patterns: RAG pipelines, on-premise LLM deployments, AI chat interfaces, embedding pipelines.

Q: What is the CVSS score for CVE-2024-7038?

CVE-2024-7038 has a CVSS v3.1 base score of 2.7 (LOW). The EPSS exploitation probability is 0.21%.

CISO Take

This is a low-severity information disclosure in open-webui 0.3.8 that requires admin-level access to exploit — meaning the blast radius is limited to already-privileged accounts. That said, in AI deployments where open-webui fronts LLMs, a stolen admin session could use this to silently map server filesystem paths before escalating. Upgrade beyond 0.3.8 and enforce MFA on admin accounts.

Risk Assessment

Low exploitability in practice. CVSS 2.7 with PR:H means an attacker must already hold admin credentials, severely limiting the threat population. However, AI chat platforms like open-webui are increasingly exposed externally and may have weak admin credential hygiene. The vulnerability enables filesystem path enumeration, which is reconnaissance value, not direct damage. Risk elevation occurs if admin credentials are shared, phished, or if the webui runs with elevated OS permissions giving the attacker a blueprint of the host.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
open-webui	pip	<= 0.3.8	No patch
136.3K Pushed today 58% patched ~9d to patch Full package profile →

Do you use open-webui? You're affected.

Severity & Risk

CVSS 3.1

2.7 / 10

EPSS

0.2%

chance of exploitation in 30 days

Higher than 43% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Network

AC Low

PR High

UI None

S Unchanged

C Low

I None

A None

Recommended Action

5 steps

Upgrade open-webui beyond 0.3.8 — no official patched version is listed in NVD at time of publication, monitor the repo for a fix.
Enforce MFA on all admin accounts accessing open-webui — this is the primary control given PR:H requirement.
Run open-webui with a least-privilege service account that has read access only to model directories, limiting filesystem enumeration value.
Deploy open-webui behind a reverse proxy with admin paths (/admin/*) restricted to internal networks or VPN.
Detection: Log all admin-triggered embedding model path changes and alert on high-frequency or unusual path values (e.g., /etc/, /root/, /home/) in admin activity logs.

CISA SSVC Assessment

Decision Track*

Exploitation poc

Automatable No

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Data Extraction Data Leakage Framework Inference RAG AML.T0006 - Active Scanning AML.T0007 - Discover AI Artifacts AML.T0037 - Data from Local System

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 9 - Risk management system

ISO 42001

A.9.2 - Information security in AI system operations

NIST AI RMF

PROTECT-2.2 - AI system information is protected commensurate with risk

OWASP LLM Top 10

LLM02 - Sensitive Information Disclosure

Frequently Asked Questions

What is CVE-2024-7038?

This is a low-severity information disclosure in open-webui 0.3.8 that requires admin-level access to exploit — meaning the blast radius is limited to already-privileged accounts. That said, in AI deployments where open-webui fronts LLMs, a stolen admin session could use this to silently map server filesystem paths before escalating. Upgrade beyond 0.3.8 and enforce MFA on admin accounts.

Is CVE-2024-7038 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2024-7038, increasing the risk of exploitation.

How to fix CVE-2024-7038?

1. Upgrade open-webui beyond 0.3.8 — no official patched version is listed in NVD at time of publication, monitor the repo for a fix. 2. Enforce MFA on all admin accounts accessing open-webui — this is the primary control given PR:H requirement. 3. Run open-webui with a least-privilege service account that has read access only to model directories, limiting filesystem enumeration value. 4. Deploy open-webui behind a reverse proxy with admin paths (/admin/*) restricted to internal networks or VPN. 5. Detection: Log all admin-triggered embedding model path changes and alert on high-frequency or unusual path values (e.g., /etc/, /root/, /home/) in admin activity logs.

What systems are affected by CVE-2024-7038?

This vulnerability affects the following AI/ML architecture patterns: RAG pipelines, on-premise LLM deployments, AI chat interfaces, embedding pipelines.

What is the CVSS score for CVE-2024-7038?

CVE-2024-7038 has a CVSS v3.1 base score of 2.7 (LOW). The EPSS exploitation probability is 0.21%.

Technical Details

NVD Description

An information disclosure vulnerability exists in open-webui version 0.3.8. The vulnerability is related to the embedding model update feature under admin settings. When a user updates the model path, the system checks if the file exists and provides different error messages based on the existence and configuration of the file. This behavior allows an attacker to enumerate file names and traverse directories by observing the error messages, leading to potential exposure of sensitive information.

Exploitation Scenario

An attacker compromises an open-webui admin account via credential stuffing or phishing. They navigate to Admin Settings > Embedding Model and iteratively submit file paths as model location values. The application returns distinct error messages — 'file not found', 'invalid model format', or 'permission denied' — depending on whether the path exists and is readable. The attacker scripts this to enumerate directories: /etc/passwd, /app/config/, /models/, extracting a filesystem map of the server. This reconnaissance could precede a second-stage attack using another vulnerability or misconfiguration to read those discovered files.