CVE-2024-7038: Open WebUI filesystem enumeration

Q: Is CVE-2024-7038 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2024-7038, increasing the risk of exploitation.

Q: How to fix CVE-2024-7038?

1. Upgrade open-webui beyond 0.3.8 — no official patched version is listed in NVD at time of publication, monitor the repo for a fix. 2. Enforce MFA on all admin accounts accessing open-webui — this is the primary control given PR:H requirement. 3. Run open-webui with a least-privilege service account that has read access only to model directories, limiting filesystem enumeration value. 4. Deploy open-webui behind a reverse proxy with admin paths (/admin/*) restricted to internal networks or VPN. 5. Detection: Log all admin-triggered embedding model path changes and alert on high-frequency or unusual path values (e.g., /etc/, /root/, /home/) in admin activity logs.

Q: What systems are affected by CVE-2024-7038?

This vulnerability affects the following AI/ML architecture patterns: RAG pipelines, on-premise LLM deployments, AI chat interfaces, embedding pipelines.

Q: What is the CVSS score for CVE-2024-7038?

CVE-2024-7038 has a CVSS v3.1 base score of 2.7 (LOW). The EPSS exploitation probability is 0.34%.

CISO Take

This is a low-severity information disclosure in open-webui 0.3.8 that requires admin-level access to exploit — meaning the blast radius is limited to already-privileged accounts. That said, in AI deployments where open-webui fronts LLMs, a stolen admin session could use this to silently map server filesystem paths before escalating. Upgrade beyond 0.3.8 and enforce MFA on admin accounts.

What is the risk?

Low exploitability in practice. CVSS 2.7 with PR:H means an attacker must already hold admin credentials, severely limiting the threat population. However, AI chat platforms like open-webui are increasingly exposed externally and may have weak admin credential hygiene. The vulnerability enables filesystem path enumeration, which is reconnaissance value, not direct damage. Risk elevation occurs if admin credentials are shared, phished, or if the webui runs with elevated OS permissions giving the attacker a blueprint of the host.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
Open WebUI	pip	<= 0.3.8	No patch
142.4K Pushed 4d ago 77% patched ~5d to patch Full package profile →

Do you use Open WebUI? You're affected.

How severe is it?

CVSS 3.1

2.7 / 10

EPSS

0.3%

chance of exploitation in 30 days

Higher than 25% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV Network

AC Low

PR High

UI None

S Unchanged

C Low

I None

A None

What should I do?

5 steps

Upgrade open-webui beyond 0.3.8 — no official patched version is listed in NVD at time of publication, monitor the repo for a fix.
Enforce MFA on all admin accounts accessing open-webui — this is the primary control given PR:H requirement.
Run open-webui with a least-privilege service account that has read access only to model directories, limiting filesystem enumeration value.
Deploy open-webui behind a reverse proxy with admin paths (/admin/*) restricted to internal networks or VPN.
Detection: Log all admin-triggered embedding model path changes and alert on high-frequency or unusual path values (e.g., /etc/, /root/, /home/) in admin activity logs.

What does CISA's SSVC say?

Decision Track*

Exploitation poc

Automatable No

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Data Extraction Data Leakage Framework Inference RAG AML.T0006 - Active Scanning AML.T0007 - Discover AI Artifacts AML.T0037 - Data from Local System

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 9 - Risk management system

ISO 42001

A.9.2 - Information security in AI system operations

NIST AI RMF

PROTECT-2.2 - AI system information is protected commensurate with risk

OWASP LLM Top 10

LLM02 - Sensitive Information Disclosure

Frequently Asked Questions

What is CVE-2024-7038?

This is a low-severity information disclosure in open-webui 0.3.8 that requires admin-level access to exploit — meaning the blast radius is limited to already-privileged accounts. That said, in AI deployments where open-webui fronts LLMs, a stolen admin session could use this to silently map server filesystem paths before escalating. Upgrade beyond 0.3.8 and enforce MFA on admin accounts.

Is CVE-2024-7038 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2024-7038, increasing the risk of exploitation.

How to fix CVE-2024-7038?

1. Upgrade open-webui beyond 0.3.8 — no official patched version is listed in NVD at time of publication, monitor the repo for a fix. 2. Enforce MFA on all admin accounts accessing open-webui — this is the primary control given PR:H requirement. 3. Run open-webui with a least-privilege service account that has read access only to model directories, limiting filesystem enumeration value. 4. Deploy open-webui behind a reverse proxy with admin paths (/admin/*) restricted to internal networks or VPN. 5. Detection: Log all admin-triggered embedding model path changes and alert on high-frequency or unusual path values (e.g., /etc/, /root/, /home/) in admin activity logs.

What systems are affected by CVE-2024-7038?

This vulnerability affects the following AI/ML architecture patterns: RAG pipelines, on-premise LLM deployments, AI chat interfaces, embedding pipelines.

What is the CVSS score for CVE-2024-7038?

CVE-2024-7038 has a CVSS v3.1 base score of 2.7 (LOW). The EPSS exploitation probability is 0.34%.

What is the AI security impact?

Affected AI Architectures

RAG pipelineson-premise LLM deploymentsAI chat interfacesembedding pipelines

MITRE ATLAS Techniques

AML.T0006 Active Scanning

AML.T0007 Discover AI Artifacts

AML.T0037 Data from Local System

Compliance Controls Affected

EU AI Act: Article 9

ISO 42001: A.9.2

NIST AI RMF: PROTECT-2.2

OWASP LLM Top 10: LLM02

What are the technical details?

Original Advisory

An information disclosure vulnerability exists in open-webui version 0.3.8. The vulnerability is related to the embedding model update feature under admin settings. When a user updates the model path, the system checks if the file exists and provides different error messages based on the existence and configuration of the file. This behavior allows an attacker to enumerate file names and traverse directories by observing the error messages, leading to potential exposure of sensitive information.

Exploitation Scenario

An attacker compromises an open-webui admin account via credential stuffing or phishing. They navigate to Admin Settings > Embedding Model and iteratively submit file paths as model location values. The application returns distinct error messages — 'file not found', 'invalid model format', or 'permission denied' — depending on whether the path exists and is readable. The attacker scripts this to enumerate directories: /etc/passwd, /app/config/, /models/, extracting a filesystem map of the server. This reconnaissance could precede a second-stage attack using another vulnerability or misconfiguration to read those discovered files.

Weaknesses (CWE)

CWE-200 Exposure of Sensitive Information to an Unauthorized Actor Primary CWE-209 Generation of Error Message Containing Sensitive Information Primary

CWE-200 — Exposure of Sensitive Information to an Unauthorized Actor: The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

[Architecture and Design] Compartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area. Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide the appropriate time to use privileges and the time to drop privileges.

Source: MITRE CWE corpus.