CVE-2024-7044: Open WebUI Stored XSS

Q: Is CVE-2024-7044 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2024-7044, increasing the risk of exploitation.

Q: How to fix CVE-2024-7044?

1. PATCH: Upgrade open-webui beyond 0.3.8 immediately. No patch version is listed by NVD — verify the latest release from the official GitHub repo and confirm the fix is included. 2. WORKAROUND: If patching is not immediate, disable chat file uploads and chat sharing features in admin settings. 3. DETECTION: Review web server logs for unusual file upload activity, especially SVG, HTML, or files with script content. Monitor for unexpected redirects or external resource loads from the open-webui origin. 4. HARDEN: Deploy a strict Content Security Policy (CSP) header blocking inline scripts and unauthorized external origins. Enable HttpOnly and Secure flags on session cookies. 5. AUDIT: Review which users have file upload permissions and restrict to trusted roles only.

Q: What systems are affected by CVE-2024-7044?

This vulnerability affects the following AI/ML architecture patterns: AI chat interfaces, LLM web frontends, multi-user AI platforms, self-hosted LLM deployments.

Q: What is the CVSS score for CVE-2024-7044?

CVE-2024-7044 has a CVSS v3.1 base score of 6.8 (MEDIUM). The EPSS exploitation probability is 0.48%.

CISO Take

Any org running open-webui as their AI chat interface should patch to a version beyond 0.3.8 immediately. A low-privilege attacker can upload a malicious file, share the chat URL, and steal admin or user session tokens when the link is opened. If patching is not immediate, disable file upload and chat sharing features as a workaround.

What is the risk?

CVSS 6.8 medium understates real-world risk in enterprise AI deployments. The scope change (S:C) and high confidentiality impact signal cross-origin session exposure. EPSS of 0.00262 indicates low current exploitation activity, but open-webui is widely self-hosted by orgs integrating LLMs internally, often with elevated-privilege users (admins, data scientists) as targets. Risk is elevated for multi-user deployments where chat sharing is enabled.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
Open WebUI	pip	<= 0.3.8	No patch
142.4K Pushed 4d ago 77% patched ~5d to patch Full package profile →

Do you use Open WebUI? You're affected.

How severe is it?

CVSS 3.1

6.8 / 10

EPSS

0.5%

chance of exploitation in 30 days

Higher than 37% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV Network

AC Low

PR Low

UI Required

S Changed

C High

I None

A None

What should I do?

5 steps

PATCH

Upgrade open-webui beyond 0.3.8 immediately. No patch version is listed by NVD — verify the latest release from the official GitHub repo and confirm the fix is included.
WORKAROUND

If patching is not immediate, disable chat file uploads and chat sharing features in admin settings.
DETECTION

Review web server logs for unusual file upload activity, especially SVG, HTML, or files with script content. Monitor for unexpected redirects or external resource loads from the open-webui origin.
HARDEN

Deploy a strict Content Security Policy (CSP) header blocking inline scripts and unauthorized external origins. Enable HttpOnly and Secure flags on session cookies.
AUDIT

Review which users have file upload permissions and restrict to trusted roles only.

What does CISA's SSVC say?

Decision Track*

Exploitation poc

Automatable No

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Auth Bypass Data Extraction Social Engineering Framework API AML.T0011.003 - Malicious Link AML.T0048.003 - User Harm AML.T0049 - Exploit Public-Facing Application AML.T0078 - Drive-by Compromise AML.T0085 - Data from AI Services

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

8.4 - Information security for AI systems

NIST AI RMF

MANAGE 2.2 - Mechanisms to address AI risks are in place MAP 5.1 - Likelihood and magnitude of identified AI system impacts

OWASP LLM Top 10

LLM02:2025 - Sensitive Information Disclosure LLM05:2025 - Improper Output Handling

Frequently Asked Questions

What is CVE-2024-7044?

Any org running open-webui as their AI chat interface should patch to a version beyond 0.3.8 immediately. A low-privilege attacker can upload a malicious file, share the chat URL, and steal admin or user session tokens when the link is opened. If patching is not immediate, disable file upload and chat sharing features as a workaround.

Is CVE-2024-7044 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2024-7044, increasing the risk of exploitation.

How to fix CVE-2024-7044?

1. PATCH: Upgrade open-webui beyond 0.3.8 immediately. No patch version is listed by NVD — verify the latest release from the official GitHub repo and confirm the fix is included. 2. WORKAROUND: If patching is not immediate, disable chat file uploads and chat sharing features in admin settings. 3. DETECTION: Review web server logs for unusual file upload activity, especially SVG, HTML, or files with script content. Monitor for unexpected redirects or external resource loads from the open-webui origin. 4. HARDEN: Deploy a strict Content Security Policy (CSP) header blocking inline scripts and unauthorized external origins. Enable HttpOnly and Secure flags on session cookies. 5. AUDIT: Review which users have file upload permissions and restrict to trusted roles only.

What systems are affected by CVE-2024-7044?

This vulnerability affects the following AI/ML architecture patterns: AI chat interfaces, LLM web frontends, multi-user AI platforms, self-hosted LLM deployments.

What is the CVSS score for CVE-2024-7044?

CVE-2024-7044 has a CVSS v3.1 base score of 6.8 (MEDIUM). The EPSS exploitation probability is 0.48%.

What is the AI security impact?

Affected AI Architectures

AI chat interfacesLLM web frontendsmulti-user AI platformsself-hosted LLM deployments

MITRE ATLAS Techniques

AML.T0011.003 Malicious Link

AML.T0048.003 User Harm

AML.T0049 Exploit Public-Facing Application

AML.T0078 Drive-by Compromise

AML.T0085 Data from AI Services

Compliance Controls Affected

EU AI Act: Article 15

ISO 42001: 8.4

NIST AI RMF: MANAGE 2.2, MAP 5.1

OWASP LLM Top 10: LLM02:2025, LLM05:2025

What are the technical details?

Original Advisory

A Stored Cross-Site Scripting (XSS) vulnerability exists in the chat file upload functionality of open-webui/open-webui version 0.3.8. An attacker can inject malicious content into a file, which, when accessed by a victim through a URL or shared chat, executes JavaScript in the victim's browser. This can lead to user data theft, session hijacking, malware distribution, and phishing attacks.

Exploitation Scenario

An attacker with a standard user account on a corporate open-webui deployment crafts an HTML or SVG file containing a JavaScript payload that exfiltrates document.cookie to an attacker-controlled endpoint. The attacker uploads the file via the chat interface, then shares the chat URL with a victim — targeting an admin or data scientist who has access to model configurations and stored API keys. When the victim opens the shared chat link, the browser executes the injected script under the open-webui origin, harvesting session tokens. The attacker replays the stolen session to access all conversation history, API key settings, and model backend configurations. In environments where open-webui is connected to internal LLM endpoints or RAG document stores, the attacker gains lateral access to sensitive indexed data.

Weaknesses (CWE)

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Primary

CWE-79 — Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'): The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

[Architecture and Design] Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid [REF-1482]. Examples of libraries and frameworks that make it easier to generate properly encoded output include Microsoft's Anti-XSS library, the OWASP ESAPI Encoding module, and Apache Wicket.
[Implementation, Architecture and Design] Understand the context in which your data will be used and the encoding that will be expected. This is especially important when transmitting data between different components, or when generating outputs that can contain multiple encodings at the same time, such as web pages or multi-part mail messages. Study all expected communication protocols and data representations to determine the required encoding strategies. For any data that will be output to another web page, especially any data that was received from external inputs, use the appropriate encoding on all non-alphanumeric characters. Parts of the same output document may require different encodings, which will vary depending on whether the output is in the: etc. Note that HTML Entity Encoding is only appropriate for the HTML body. Consult the XSS Prevention Cheat Sheet [REF-724] for more details on the types of encoding and escaping that are needed. HTML body Element attributes (such as src="XYZ") URIs JavaScript sections Casca

Source: MITRE CWE corpus.