CVE-2024-7044 — MEDIUM (CVSS 6.8) AI Security Vulnerability

Q: Is CVE-2024-7044 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2024-7044, increasing the risk of exploitation.

Q: How to fix CVE-2024-7044?

1. PATCH: Upgrade open-webui beyond 0.3.8 immediately. No patch version is listed by NVD — verify the latest release from the official GitHub repo and confirm the fix is included. 2. WORKAROUND: If patching is not immediate, disable chat file uploads and chat sharing features in admin settings. 3. DETECTION: Review web server logs for unusual file upload activity, especially SVG, HTML, or files with script content. Monitor for unexpected redirects or external resource loads from the open-webui origin. 4. HARDEN: Deploy a strict Content Security Policy (CSP) header blocking inline scripts and unauthorized external origins. Enable HttpOnly and Secure flags on session cookies. 5. AUDIT: Review which users have file upload permissions and restrict to trusted roles only.

Q: What systems are affected by CVE-2024-7044?

This vulnerability affects the following AI/ML architecture patterns: AI chat interfaces, LLM web frontends, multi-user AI platforms, self-hosted LLM deployments.

Q: What is the CVSS score for CVE-2024-7044?

CVE-2024-7044 has a CVSS v3.1 base score of 6.8 (MEDIUM). The EPSS exploitation probability is 0.15%.

CISO Take

Any org running open-webui as their AI chat interface should patch to a version beyond 0.3.8 immediately. A low-privilege attacker can upload a malicious file, share the chat URL, and steal admin or user session tokens when the link is opened. If patching is not immediate, disable file upload and chat sharing features as a workaround.

Risk Assessment

CVSS 6.8 medium understates real-world risk in enterprise AI deployments. The scope change (S:C) and high confidentiality impact signal cross-origin session exposure. EPSS of 0.00262 indicates low current exploitation activity, but open-webui is widely self-hosted by orgs integrating LLMs internally, often with elevated-privilege users (admins, data scientists) as targets. Risk is elevated for multi-user deployments where chat sharing is enabled.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
open-webui	pip	<= 0.3.8	No patch
135.3K Pushed 8d ago 58% patched ~9d to patch Full package profile →

Do you use open-webui? You're affected.

Severity & Risk

CVSS 3.1

6.8 / 10

EPSS

0.2%

chance of exploitation in 30 days

Higher than 35% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Network

AC Low

PR Low

UI Required

S Changed

C High

I None

A None

Recommended Action

5 steps

PATCH

Upgrade open-webui beyond 0.3.8 immediately. No patch version is listed by NVD — verify the latest release from the official GitHub repo and confirm the fix is included.
WORKAROUND

If patching is not immediate, disable chat file uploads and chat sharing features in admin settings.
DETECTION

Review web server logs for unusual file upload activity, especially SVG, HTML, or files with script content. Monitor for unexpected redirects or external resource loads from the open-webui origin.
HARDEN

Deploy a strict Content Security Policy (CSP) header blocking inline scripts and unauthorized external origins. Enable HttpOnly and Secure flags on session cookies.
AUDIT

Review which users have file upload permissions and restrict to trusted roles only.

CISA SSVC Assessment

Decision Track*

Exploitation poc

Automatable No

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Auth Bypass Data Extraction Social Engineering Framework API AML.T0011.003 - Malicious Link AML.T0048.003 - User Harm AML.T0049 - Exploit Public-Facing Application AML.T0078 - Drive-by Compromise AML.T0085 - Data from AI Services

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

8.4 - Information security for AI systems

NIST AI RMF

MANAGE 2.2 - Mechanisms to address AI risks are in place MAP 5.1 - Likelihood and magnitude of identified AI system impacts

OWASP LLM Top 10

LLM02:2025 - Sensitive Information Disclosure LLM05:2025 - Improper Output Handling

Frequently Asked Questions

What is CVE-2024-7044?

Any org running open-webui as their AI chat interface should patch to a version beyond 0.3.8 immediately. A low-privilege attacker can upload a malicious file, share the chat URL, and steal admin or user session tokens when the link is opened. If patching is not immediate, disable file upload and chat sharing features as a workaround.

Is CVE-2024-7044 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2024-7044, increasing the risk of exploitation.

How to fix CVE-2024-7044?

1. PATCH: Upgrade open-webui beyond 0.3.8 immediately. No patch version is listed by NVD — verify the latest release from the official GitHub repo and confirm the fix is included. 2. WORKAROUND: If patching is not immediate, disable chat file uploads and chat sharing features in admin settings. 3. DETECTION: Review web server logs for unusual file upload activity, especially SVG, HTML, or files with script content. Monitor for unexpected redirects or external resource loads from the open-webui origin. 4. HARDEN: Deploy a strict Content Security Policy (CSP) header blocking inline scripts and unauthorized external origins. Enable HttpOnly and Secure flags on session cookies. 5. AUDIT: Review which users have file upload permissions and restrict to trusted roles only.

What systems are affected by CVE-2024-7044?

This vulnerability affects the following AI/ML architecture patterns: AI chat interfaces, LLM web frontends, multi-user AI platforms, self-hosted LLM deployments.

What is the CVSS score for CVE-2024-7044?

CVE-2024-7044 has a CVSS v3.1 base score of 6.8 (MEDIUM). The EPSS exploitation probability is 0.15%.

Technical Details

NVD Description

A Stored Cross-Site Scripting (XSS) vulnerability exists in the chat file upload functionality of open-webui/open-webui version 0.3.8. An attacker can inject malicious content into a file, which, when accessed by a victim through a URL or shared chat, executes JavaScript in the victim's browser. This can lead to user data theft, session hijacking, malware distribution, and phishing attacks.

Exploitation Scenario

An attacker with a standard user account on a corporate open-webui deployment crafts an HTML or SVG file containing a JavaScript payload that exfiltrates document.cookie to an attacker-controlled endpoint. The attacker uploads the file via the chat interface, then shares the chat URL with a victim — targeting an admin or data scientist who has access to model configurations and stored API keys. When the victim opens the shared chat link, the browser executes the injected script under the open-webui origin, harvesting session tokens. The attacker replays the stolen session to access all conversation history, API key settings, and model backend configurations. In environments where open-webui is connected to internal LLM endpoints or RAG document stores, the attacker gains lateral access to sensitive indexed data.