CVE-2024-7039 — HIGH (CVSS 8.3) AI Security Vulnerability

CISO Take

An authenticated admin in open-webui ≤0.3.8 can delete other admin accounts via direct API calls, bypassing UI restrictions — enabling admin lockout or account takeover within the platform. If open-webui is deployed as an internal AI gateway, any compromised admin credential becomes a path to exclusive platform control. Update to a version >0.3.8 immediately and restrict API access to trusted networks.

Risk Assessment

CVSS 8.3 (High). Low EPSS (0.00092) indicates no active exploitation at publication time, but the attack is trivial once admin credentials are obtained — no special tooling or AI expertise required, just a direct HTTP DELETE call. Open-webui is widely deployed as a self-hosted LLM interface in enterprise and research environments, meaning the exposed attack surface is broad. The blast radius is limited to open-webui instances, but loss of administrative control over an AI gateway can indirectly expose underlying model infrastructure, API keys, and conversation histories.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
open-webui	pip	<= 0.3.8	No patch
135.3K Pushed 8d ago 58% patched ~9d to patch Full package profile →

Do you use open-webui? You're affected.

Severity & Risk

CVSS 3.1

8.3 / 10

EPSS

0.2%

chance of exploitation in 30 days

Higher than 37% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Network

AC Low

PR Low

UI None

S Unchanged

C High

I High

A Low

Recommended Action

1 step

1) Update open-webui to the latest available version (>0.3.8). 2) If patching is not immediately feasible, block or restrict access to DELETE requests on /api/v1/users/ via reverse proxy or WAF rules. 3) Audit all current admin accounts for unauthorized deletions or additions. 4) Enable API access logging and alert on DELETE requests to /api/v1/users/{uuid}. 5) Apply least-privilege principles — minimize the number of admin accounts and rotate credentials for any accounts that may have been exposed.

CISA SSVC Assessment

Decision Attend

Exploitation poc

Automatable No

Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Auth Bypass Data Extraction API Framework AML.T0012 - Valid Accounts AML.T0040 - AI Model Inference API Access AML.T0049 - Exploit Public-Facing Application

Compliance Impact

This CVE is relevant to:

EU AI Act

Art. 9 - Risk management system

ISO 42001

A.6.1.1 - AI roles and responsibilities

NIST AI RMF

GOVERN-1.1 - Organizational policies for AI risk management

OWASP LLM Top 10

LLM06:2025 - Excessive Agency

Frequently Asked Questions

What is CVE-2024-7039?

An authenticated admin in open-webui ≤0.3.8 can delete other admin accounts via direct API calls, bypassing UI restrictions — enabling admin lockout or account takeover within the platform. If open-webui is deployed as an internal AI gateway, any compromised admin credential becomes a path to exclusive platform control. Update to a version >0.3.8 immediately and restrict API access to trusted networks.

Is CVE-2024-7039 actively exploited?

No confirmed active exploitation of CVE-2024-7039 has been reported, but organizations should still patch proactively.

How to fix CVE-2024-7039?

1) Update open-webui to the latest available version (>0.3.8). 2) If patching is not immediately feasible, block or restrict access to DELETE requests on /api/v1/users/ via reverse proxy or WAF rules. 3) Audit all current admin accounts for unauthorized deletions or additions. 4) Enable API access logging and alert on DELETE requests to /api/v1/users/{uuid}. 5) Apply least-privilege principles — minimize the number of admin accounts and rotate credentials for any accounts that may have been exposed.

What systems are affected by CVE-2024-7039?

This vulnerability affects the following AI/ML architecture patterns: AI chat interfaces, self-hosted LLM deployments, model serving, agent frameworks.

What is the CVSS score for CVE-2024-7039?

CVE-2024-7039 has a CVSS v3.1 base score of 8.3 (HIGH). The EPSS exploitation probability is 0.17%.

Technical Details

NVD Description

In open-webui/open-webui version v0.3.8, there is an improper privilege management vulnerability. The application allows an attacker, acting as an admin, to delete other administrators via the API endpoint `http://0.0.0.0:8080/api/v1/users/{uuid_administrator}`. This action is restricted by the user interface but can be performed through direct API calls.

Exploitation Scenario

An attacker obtains admin credentials to an open-webui instance via phishing, credential stuffing, or an insider threat. Rather than using the web UI — which enforces peer-admin deletion restrictions — the attacker issues a direct HTTP DELETE to /api/v1/users/{uuid_of_other_admin}, removing all other administrators one by one. Now the sole admin, they reconfigure model backends to route prompts through attacker-controlled infrastructure, exfiltrate stored conversation histories containing sensitive business data, and expose API keys for underlying LLM providers.