CVE-2024-7043: Open WebUI auth bypass exposes all

Q: Is CVE-2024-7043 actively exploited?

No confirmed active exploitation of CVE-2024-7043 has been reported, but organizations should still patch proactively.

Q: How to fix CVE-2024-7043?

1. Upgrade open-webui to a patched version above v0.3.8 immediately — verify the changelog confirms authorization enforcement on file endpoints. 2. If no patch is available, restrict deployment access to fully trusted users via network ACLs or VPN gating. 3. Audit application logs for anomalous GET /api/v1/files/ enumeration (bulk listing requests from non-admin accounts). 4. Treat all documents previously uploaded to the instance as potentially exfiltrated — assess based on data classification. 5. Rotate credentials or tokens exposed in uploaded documents. 6. Consider placing a WAF rule blocking unauthenticated or low-privilege access to the /api/v1/files/ endpoints.

Q: What systems are affected by CVE-2024-7043?

This vulnerability affects the following AI/ML architecture patterns: AI chat interfaces, RAG pipelines, Document analysis workflows, Multi-user LLM deployments.

Q: What is the CVSS score for CVE-2024-7043?

CVE-2024-7043 has a CVSS v3.1 base score of 8.1 (HIGH). The EPSS exploitation probability is 0.56%.

CISO Take

Any authenticated user on open-webui v0.3.8 can enumerate, read, and delete files uploaded by all other users via unauthenticated API calls — no admin role required. If your org runs this version as an internal LLM frontend, treat all previously uploaded documents as potentially compromised. Upgrade immediately or isolate the deployment to fully trusted users pending a verified patch.

What is the risk?

High severity (CVSS 8.1) but low active exploitation probability (EPSS 0.0008). The vulnerability requires only a valid low-privilege account and zero AI/ML knowledge, making it trivially exploitable by any insider or compromised user account. Risk is amplified in multi-tenant or enterprise deployments where sensitive documents are routinely uploaded for LLM-assisted analysis — the attacker surface is every file every user has ever uploaded.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
Open WebUI	pip	<= 0.3.8	No patch
142.4K Pushed 4d ago 77% patched ~5d to patch Full package profile →

Do you use Open WebUI? You're affected.

How severe is it?

CVSS 3.1

8.1 / 10

EPSS

0.6%

chance of exploitation in 30 days

Higher than 42% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV Network

AC Low

PR Low

UI None

S Unchanged

C High

I High

A None

What should I do?

6 steps

Upgrade open-webui to a patched version above v0.3.8 immediately — verify the changelog confirms authorization enforcement on file endpoints.
If no patch is available, restrict deployment access to fully trusted users via network ACLs or VPN gating.
Audit application logs for anomalous GET /api/v1/files/ enumeration (bulk listing requests from non-admin accounts).
Treat all documents previously uploaded to the instance as potentially exfiltrated — assess based on data classification.
Rotate credentials or tokens exposed in uploaded documents.
Consider placing a WAF rule blocking unauthenticated or low-privilege access to the /api/v1/files/ endpoints.

What does CISA's SSVC say?

Decision Attend

Exploitation poc

Automatable No

Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Auth Bypass Data Extraction Data Leakage API Framework AML.T0025 - Exfiltration via Cyber Means AML.T0035 - AI Artifact Collection AML.T0049 - Exploit Public-Facing Application AML.T0085 - Data from AI Services

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Art.15 - Accuracy, robustness and cybersecurity

ISO 42001

A.9.4 - Technical access control for AI systems

NIST AI RMF

MANAGE-2.2 - Risk responses for AI systems include technical controls to prevent unauthorized access

OWASP LLM Top 10

LLM06:2023 - Sensitive Information Disclosure

Frequently Asked Questions

What is CVE-2024-7043?

Any authenticated user on open-webui v0.3.8 can enumerate, read, and delete files uploaded by all other users via unauthenticated API calls — no admin role required. If your org runs this version as an internal LLM frontend, treat all previously uploaded documents as potentially compromised. Upgrade immediately or isolate the deployment to fully trusted users pending a verified patch.

Is CVE-2024-7043 actively exploited?

No confirmed active exploitation of CVE-2024-7043 has been reported, but organizations should still patch proactively.

How to fix CVE-2024-7043?

1. Upgrade open-webui to a patched version above v0.3.8 immediately — verify the changelog confirms authorization enforcement on file endpoints. 2. If no patch is available, restrict deployment access to fully trusted users via network ACLs or VPN gating. 3. Audit application logs for anomalous GET /api/v1/files/ enumeration (bulk listing requests from non-admin accounts). 4. Treat all documents previously uploaded to the instance as potentially exfiltrated — assess based on data classification. 5. Rotate credentials or tokens exposed in uploaded documents. 6. Consider placing a WAF rule blocking unauthenticated or low-privilege access to the /api/v1/files/ endpoints.

What systems are affected by CVE-2024-7043?

This vulnerability affects the following AI/ML architecture patterns: AI chat interfaces, RAG pipelines, Document analysis workflows, Multi-user LLM deployments.

What is the CVSS score for CVE-2024-7043?

CVE-2024-7043 has a CVSS v3.1 base score of 8.1 (HIGH). The EPSS exploitation probability is 0.56%.

What is the AI security impact?

Affected AI Architectures

AI chat interfacesRAG pipelinesDocument analysis workflowsMulti-user LLM deployments

MITRE ATLAS Techniques

AML.T0025 Exfiltration via Cyber Means

AML.T0035 AI Artifact Collection

AML.T0049 Exploit Public-Facing Application

AML.T0085 Data from AI Services

Compliance Controls Affected

EU AI Act: Art.15

ISO 42001: A.9.4

NIST AI RMF: MANAGE-2.2

OWASP LLM Top 10: LLM06:2023

What are the technical details?

Original Advisory

An improper access control vulnerability in open-webui/open-webui v0.3.8 allows attackers to view and delete any files. The application does not verify whether the attacker is an administrator, allowing the attacker to directly call the GET /api/v1/files/ interface to retrieve information on all files uploaded by users, which includes the ID values. The attacker can then use the GET /api/v1/files/{file_id} interface to obtain information on any file and the DELETE /api/v1/files/{file_id} interface to delete any file.

Exploitation Scenario

An attacker holding a standard user account on an internal open-webui deployment — such as a low-trust contractor or a compromised employee credential — issues a single GET /api/v1/files/ request. The API returns metadata and IDs for every file uploaded by every user in the system. The attacker scripts iteration over all returned file IDs, downloading full document contents via GET /api/v1/files/{file_id}. In under five minutes they harvest confidential documents submitted by colleagues for AI analysis: vendor contracts, architecture diagrams, HR records, API keys embedded in code snippets. They then selectively DELETE targeted files to remove evidence of sensitive data having been shared. No elevated privileges, no exploit code, no AI knowledge required.

Weaknesses (CWE)

CWE-821 Incorrect Synchronization Primary CWE-862 Missing Authorization Primary

CWE-821 — Incorrect Synchronization: The product utilizes a shared resource in a concurrent manner, but it does not correctly synchronize access to the resource.

Source: MITRE CWE corpus.