CVE-2024-7045 — MEDIUM (CVSS 4.3) AI Security Vulnerability

Q: Is CVE-2024-7045 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2024-7045, increasing the risk of exploitation.

Q: How to fix CVE-2024-7045?

1. Upgrade: Update open-webui beyond v0.3.8; no official patch was tagged at disclosure — monitor the GitHub repo for a patched release. 2. Restrict access: Limit Open WebUI to trusted users only; remove unused or overly broad accounts immediately. 3. Audit prompts: Review all admin-created prompts for sensitive content (credentials, API keys, internal policies, PII, RAG data source details) and sanitize as needed. 4. Detect: Monitor access logs for unusual GET request volume to /api/v1/prompts/ and /api/v1/prompts/command/ from non-admin accounts. 5. Isolate: If no patch is available, place Open WebUI behind a VPN or IP allowlist to minimize exposure surface.

Q: What systems are affected by CVE-2024-7045?

This vulnerability affects the following AI/ML architecture patterns: LLM chat interfaces, Internal AI portals, Agent frameworks, Model serving.

Q: What is the CVSS score for CVE-2024-7045?

CVE-2024-7045 has a CVSS v3.1 base score of 4.3 (MEDIUM). The EPSS exploitation probability is 0.17%.

CISO Take

Any authenticated user on your Open WebUI instance can enumerate and read all admin-created prompts via unauthenticated API calls — no admin rights required. If your internal LLM deployment uses Open WebUI and prompts contain sensitive instructions, business logic, or security policies, those are now accessible to any user with a valid account. Upgrade beyond v0.3.8 immediately and audit your prompt library for sensitive content.

Risk Assessment

Medium severity in isolation, but contextually higher in enterprise LLM deployments. The attack requires only a valid low-privilege account (CVSS PR:L), making it accessible to any internal user or compromised account. EPSS of 0.00063 indicates low active exploitation probability, but the trivial exploitation path lowers the practical barrier significantly. The actual impact depends heavily on what admin prompts contain — in many organizations, system prompts encode sensitive operational context, tool configurations, or policy instructions that should not be broadly accessible.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
open-webui	pip	<= 0.3.8	No patch
136.3K Pushed today 58% patched ~9d to patch Full package profile →

Do you use open-webui? You're affected.

Severity & Risk

CVSS 3.1

4.3 / 10

EPSS

0.2%

chance of exploitation in 30 days

Higher than 37% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Network

AC Low

PR Low

UI None

S Unchanged

C Low

I None

A None

Recommended Action

5 steps

Upgrade: Update open-webui beyond v0.3.8; no official patch was tagged at disclosure — monitor the GitHub repo for a patched release.
Restrict access: Limit Open WebUI to trusted users only; remove unused or overly broad accounts immediately.
Audit prompts: Review all admin-created prompts for sensitive content (credentials, API keys, internal policies, PII, RAG data source details) and sanitize as needed.
Detect: Monitor access logs for unusual GET request volume to /api/v1/prompts/ and /api/v1/prompts/command/ from non-admin accounts.
Isolate: If no patch is available, place Open WebUI behind a VPN or IP allowlist to minimize exposure surface.

CISA SSVC Assessment

Decision Track*

Exploitation poc

Automatable No

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Auth Bypass Data Leakage API Framework AML.T0012 - Valid Accounts AML.T0035 - AI Artifact Collection AML.T0040 - AI Model Inference API Access AML.T0049 - Exploit Public-Facing Application AML.T0056 - Extract LLM System Prompt

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.2.3 - AI system access control

NIST AI RMF

GOVERN 1.2 - Accountability structures for AI risk MANAGE 2.2 - Risk treatment and response

OWASP LLM Top 10

LLM02:2025 - Sensitive Information Disclosure LLM07:2025 - System Prompt Leakage

Frequently Asked Questions

What is CVE-2024-7045?

Any authenticated user on your Open WebUI instance can enumerate and read all admin-created prompts via unauthenticated API calls — no admin rights required. If your internal LLM deployment uses Open WebUI and prompts contain sensitive instructions, business logic, or security policies, those are now accessible to any user with a valid account. Upgrade beyond v0.3.8 immediately and audit your prompt library for sensitive content.

Is CVE-2024-7045 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2024-7045, increasing the risk of exploitation.

How to fix CVE-2024-7045?

1. Upgrade: Update open-webui beyond v0.3.8; no official patch was tagged at disclosure — monitor the GitHub repo for a patched release. 2. Restrict access: Limit Open WebUI to trusted users only; remove unused or overly broad accounts immediately. 3. Audit prompts: Review all admin-created prompts for sensitive content (credentials, API keys, internal policies, PII, RAG data source details) and sanitize as needed. 4. Detect: Monitor access logs for unusual GET request volume to /api/v1/prompts/ and /api/v1/prompts/command/ from non-admin accounts. 5. Isolate: If no patch is available, place Open WebUI behind a VPN or IP allowlist to minimize exposure surface.

What systems are affected by CVE-2024-7045?

This vulnerability affects the following AI/ML architecture patterns: LLM chat interfaces, Internal AI portals, Agent frameworks, Model serving.

What is the CVSS score for CVE-2024-7045?

CVE-2024-7045 has a CVSS v3.1 base score of 4.3 (MEDIUM). The EPSS exploitation probability is 0.17%.

Technical Details

NVD Description

In version v0.3.8 of open-webui/open-webui, improper access control vulnerabilities allow an attacker to view any prompts. The application does not verify whether the attacker is an administrator, allowing the attacker to directly call the /api/v1/prompts/ interface to retrieve all prompt information created by the admin, which includes the ID values. Subsequently, the attacker can exploit the /api/v1/prompts/command/{command_id} interface to obtain arbitrary prompt information.

Exploitation Scenario

An attacker with a low-privilege Open WebUI account — a compromised employee credential, a trial account on a misconfigured deployment, or an insider — sends a GET request to /api/v1/prompts/ with their session token. The endpoint returns all admin-created prompts including their command IDs without verifying the requester is an admin. The attacker iterates over each ID, calling /api/v1/prompts/command/{command_id} to retrieve full prompt content. Depending on what prompts contain, this could expose system prompt engineering, organizational AI usage policies, RAG data source configurations, or agentic tool instructions — providing intelligence for more sophisticated follow-on attacks against the AI system or the organization.