Cyber Resilience

CVE-2024-7959

HighPublic PoC

Published: 20 March 2025

Published
20 March 2025
Modified
21 July 2025
KEV Added
Patch
CVSS Score v3.1 7.7 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
EPSS Score 0.0048 65.3th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-7959 is a high-severity SSRF (CWE-918) vulnerability in Openwebui Open Webui. Its CVSS base score is 7.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 34.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

This vulnerability is AI-related — categorised as LLM Application Platforms; in the Supply Chain and Deployment risk domain.

The strongest mitigations our analysis identified are NIST 800-53 AC-4 (Information Flow Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2024-7959 is a Server-Side Request Forgery (SSRF) vulnerability, mapped to CWE-918, in the `/openai/models` endpoint of open-webui/open-webui version 0.3.8. The flaw enables an attacker to replace the OpenAI URL with any arbitrary URL without validation checks, causing the server to send a request to the attacker-specified URL and return its output. This issue carries a CVSS v3.1 base score of 7.7 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N), indicating high severity due to its confidentiality impact and changed scope.

An authenticated attacker with low privileges can exploit this vulnerability remotely over the network with low complexity and no user interaction. By manipulating the endpoint, they can force the server to interact with internal services, potentially exposing sensitive data or instance secrets that enable command execution.

Mitigation guidance is available in the Huntr advisory at https://huntr.com/bounties/3c8bea0a-d678-4d67-bb9c-2b5b610a2193.

EU & UK References

Vulnerability details

The `/openai/models` endpoint in open-webui/open-webui version 0.3.8 is vulnerable to Server-Side Request Forgery (SSRF). An attacker can change the OpenAI URL to any URL without checks, causing the endpoint to send a request to the specified URL and return the…

more

output. This vulnerability allows the attacker to access internal services and potentially gain command execution by accessing instance secrets.

CWE(s)

AI Security AnalysisAI

AI Category
LLM Application Platforms
Risk Domain
Supply Chain and Deployment
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: openai

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1552.005 Cloud Instance Metadata API Credential Access
Adversaries may attempt to access the Cloud Instance Metadata API to collect credentials and other sensitive data.
Why these techniques?

SSRF in public-facing /openai/models endpoint enables exploitation of public-facing application (T1190) and access to internal instance secrets via cloud metadata API (T1552.005).

CVEs Like This One

CVE-2026-45400Same product: Openwebui Open Webui
CVE-2026-45331Same product: Openwebui Open Webui
CVE-2026-45338Same product: Openwebui Open Webui
CVE-2026-45401Same product: Openwebui Open Webui
CVE-2024-7806Same product: Openwebui Open Webui
CVE-2024-7034Same product: Openwebui Open Webui
CVE-2024-8053Same product: Openwebui Open Webui
CVE-2024-7044Same product: Openwebui Open Webui
CVE-2026-45350Same product: Openwebui Open Webui
CVE-2026-34222Same product: Openwebui Open Webui

Affected Assets

openwebui
open webui
0.3.8

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of user-supplied URLs in the /openai/models endpoint to block SSRF exploitation.

prevent

Mandates timely remediation of the specific SSRF flaw in open-webui version 0.3.8 through patching or updates.

prevent

Enforces policies controlling server-initiated information flows to prevent requests to unauthorized internal or external URLs.

References