AI Threat Alert

CVE-2024-7959: Open-WebUI: SSRF via unchecked OpenAI URL leaks internal secrets

GHSA-x757-hv69-jr45 HIGH PoC AVAILABLE CISA: TRACK*
Published March 20, 2025
CISO Take

Any authenticated user of open-webui <=0.3.8 can redirect the /openai/models endpoint to arbitrary internal URLs, effectively turning your LLM interface into a proxy to your internal network. In cloud deployments this means instant access to instance metadata endpoints (AWS IMDSv1, GCP/Azure IMDS) and the credentials they carry. Restrict open-webui access to trusted users immediately and upgrade as soon as a patch is available.

What is the risk?

CVSS 7.7 High with Scope:Changed — the vulnerability crosses trust boundaries from the application tier into internal infrastructure. Low complexity and only low privileges required makes this accessible to any authenticated user, not just admins. EPSS is low (0.35%) suggesting limited current exploitation, but the attack path is trivial and the blast radius in cloud environments is severe due to IMDS credential harvesting potential.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
Open WebUI pip <= 0.3.8 No patch
142.4K Pushed 4d ago 77% patched ~5d to patch Full package profile →
open_webui No patch

How severe is it?

CVSS 3.1
7.7 / 10
EPSS
24.5%
chance of exploitation in 30 days
Higher than 98% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
CISA SSVC: Public PoC
Public PoC indexed (trickest/cve)
EPSS exploit prediction: 24%
Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR Low
UI None
S Changed
C High
I None
A None

What should I do?

6 steps

  1. Upgrade open-webui beyond 0.3.8 immediately; verify fix in release notes before upgrading.

  2. If patching is not yet possible, block or require admin-only access to the OpenAI URL configuration setting.

  3. Enforce IMDSv2 (AWS) or equivalent on all cloud instances running open-webui to mitigate metadata endpoint abuse.

  4. Apply egress filtering on the open-webui container/host to restrict outbound HTTP to approved AI API endpoints only.

  5. Detect exploitation by monitoring application logs for /openai/models requests targeting non-standard hosts (anything not api.openai.com or your approved LLM endpoint).

  6. Audit existing deployments for any unexpected outbound connections from the open-webui host.

What does CISA's SSVC say?

Decision Track*
Exploitation poc
Automatable No
Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Data Extraction Auth Bypass Code Execution API Framework AML.T0040 AML.T0049 AML.T0055 AML.T0075 AML.T0083

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Article-15 - Accuracy, robustness and cybersecurity
ISO 42001
A.9.2 - Protection of AI system inputs
NIST AI RMF
GOVERN-6.2 - Policies and procedures for AI risk management MANAGE-2.4 - Residual risks are monitored and managed
OWASP LLM Top 10
LLM07 - Insecure Plugin Design

Frequently Asked Questions

What is CVE-2024-7959?

Any authenticated user of open-webui <=0.3.8 can redirect the /openai/models endpoint to arbitrary internal URLs, effectively turning your LLM interface into a proxy to your internal network. In cloud deployments this means instant access to instance metadata endpoints (AWS IMDSv1, GCP/Azure IMDS) and the credentials they carry. Restrict open-webui access to trusted users immediately and upgrade as soon as a patch is available.

Is CVE-2024-7959 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2024-7959, increasing the risk of exploitation.

How to fix CVE-2024-7959?

1. Upgrade open-webui beyond 0.3.8 immediately; verify fix in release notes before upgrading. 2. If patching is not yet possible, block or require admin-only access to the OpenAI URL configuration setting. 3. Enforce IMDSv2 (AWS) or equivalent on all cloud instances running open-webui to mitigate metadata endpoint abuse. 4. Apply egress filtering on the open-webui container/host to restrict outbound HTTP to approved AI API endpoints only. 5. Detect exploitation by monitoring application logs for /openai/models requests targeting non-standard hosts (anything not api.openai.com or your approved LLM endpoint). 6. Audit existing deployments for any unexpected outbound connections from the open-webui host.

What systems are affected by CVE-2024-7959?

This vulnerability affects the following AI/ML architecture patterns: LLM API gateways, model serving, agent frameworks, self-hosted AI platforms.

What is the CVSS score for CVE-2024-7959?

CVE-2024-7959 has a CVSS v3.1 base score of 7.7 (HIGH). The EPSS exploitation probability is 24.46%.

What is the AI security impact?

Affected AI Architectures

LLM API gatewaysmodel servingagent frameworksself-hosted AI platforms

MITRE ATLAS Techniques

AML.T0040 AI Model Inference API Access
AML.T0049 Exploit Public-Facing Application
AML.T0055 Unsecured Credentials
AML.T0075 Cloud Service Discovery
AML.T0083 Credentials from AI Agent Configuration

Compliance Controls Affected

EU AI Act: Article-15
ISO 42001: A.9.2
NIST AI RMF: GOVERN-6.2, MANAGE-2.4
OWASP LLM Top 10: LLM07

What are the technical details?

Original Advisory

The `/openai/models` endpoint in open-webui/open-webui version 0.3.8 is vulnerable to Server-Side Request Forgery (SSRF). An attacker can change the OpenAI URL to any URL without checks, causing the endpoint to send a request to the specified URL and return the output. This vulnerability allows the attacker to access internal services and potentially gain command execution by accessing instance secrets.

Exploitation Scenario

An attacker with a low-privilege open-webui account navigates to the OpenAI API configuration and changes the base URL to http://169.254.169.254/latest/meta-data/iam/security-credentials/ (AWS IMDS). They then trigger the /openai/models endpoint, which proxies the request and returns the AWS IAM role credentials in the response. With those credentials the attacker can exfiltrate training data from S3, access connected AI services (Bedrock, SageMaker), or pivot laterally across the cloud environment. In non-cloud environments, the same technique enumerates internal services, databases, or Kubernetes API servers.

Weaknesses (CWE)

CWE-918 Server-Side Request Forgery (SSRF) Primary CWE-918 Server-Side Request Forgery (SSRF)

CWE-918 — Server-Side Request Forgery (SSRF): The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

References

Timeline

Published
March 20, 2025
Last Modified
July 21, 2025
First Seen
March 20, 2025

Related Vulnerabilities

CRITICAL CVE-2026-44551 9.1

open-webui: LDAP auth bypass — full account takeover

Same package: open-webui
HIGH CVE-2026-45672 8.8

open-webui: code exec gate bypass via API endpoint

Same package: open-webui
HIGH CVE-2025-64495 8.7

Open WebUI: XSS-to-RCE via malicious prompt injection

Same package: open-webui
HIGH CVE-2026-44552 8.7

open-webui: Redis cache poisoning enables cross-instance tool hijack

Same package: open-webui
HIGH CVE-2026-45315 8.7

open-webui: stored XSS → JWT theft and admin takeover

Same package: open-webui
Back to Threat Feed