CVE-2024-7036
Published: 20 March 2025
Summary
CVE-2024-7036 is a high-severity Uncontrolled Resource Consumption (CWE-400) vulnerability in Openwebui Open Webui. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked in the top 16.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
This vulnerability is AI-related — categorised as Enterprise AI Assistants; in the Other ATLAS/OWASP Terms risk domain.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires validation of all inputs including the name field to reject excessively large text, directly preventing resource exhaustion and Admin panel unresponsiveness.
Limits the quantity and types of information input into the name field during signup, blocking uncontrolled resource consumption by unauthenticated or low-privilege users.
Implements denial-of-service protections at application entry points to mitigate oversized input attacks causing high availability impact.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability enables denial of service on the Admin panel via exploitation of the application with excessively large input in the signup name field, rendering user management functions unresponsive.
NVD Description
A vulnerability in open-webui/open-webui v0.3.8 allows an unauthenticated attacker to sign up with excessively large text in the 'name' field, causing the Admin panel to become unresponsive. This prevents administrators from performing essential user management actions such as deleting, editing,…
more
or adding users. The vulnerability can also be exploited by authenticated users with low privileges, leading to the same unresponsive state in the Admin panel.
Deeper analysisAI
CVE-2024-7036 is a denial-of-service vulnerability in open-webui/open-webui version 0.3.8. It allows an unauthenticated attacker to sign up using excessively large text in the 'name' field, which causes the Admin panel to become unresponsive. Authenticated users with low privileges can also trigger the same condition. The issue stems from CWE-400 (Uncontrolled Resource Consumption) and carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), reflecting high availability impact without compromising confidentiality or integrity.
Unauthenticated attackers can exploit this remotely over the network with low complexity and no privileges required, simply by attempting to create an account with oversized input in the name field. Low-privilege authenticated users can achieve the same effect through similar means. Exploitation renders the Admin panel unusable, blocking administrators from essential user management actions like deleting, editing, or adding users.
Mitigation details are available in the advisory published on Huntr at https://huntr.com/bounties/ba62d093-ab27-48fa-9c53-0602c8cdc48a.
Details
- CWE(s)
Affected Products
AI Security AnalysisAI
- AI Category
- Enterprise AI Assistants
- Risk Domain
- Other ATLAS/OWASP Terms
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Open WebUI is a self-hosted web interface for LLMs and generative AI models, fitting the Enterprise AI Assistants category as a platform for deploying and managing AI assistants. The vulnerability is listed on an AI/ML bug bounty platform (huntr).