Cyber Resilience

CVE-2024-8053

HighPublic PoC

Published: 20 March 2025

Published
20 March 2025
Modified
27 March 2025
KEV Added
Patch
CVSS Score v3.1 8.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
EPSS Score 0.0073 73.1th percentile
Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-8053 is a high-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Openwebui Open Webui. Its CVSS base score is 8.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 26.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).

Deeper analysis

CVE-2024-8053 is a missing authentication vulnerability (CWE-306) affecting version v0.3.10 of open-webui/open-webui, specifically the `api/v1/utils/pdf` endpoint. This flaw allows unauthenticated attackers to access the PDF generation service without any verification mechanisms. The issue has a CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H), highlighting its high severity due to network accessibility and low complexity.

Unauthenticated remote attackers can exploit this vulnerability by sending POST requests to the endpoint. A particularly large payload can cause server resource exhaustion, leading to denial-of-service (DoS) conditions. Additionally, attackers can misuse the service to generate PDFs without authorization, potentially resulting in service misuse and operational or financial impacts for the affected deployment.

The vulnerability was reported via a bounty on Huntr.com (https://huntr.com/bounties/ebe8c1fa-113b-4df9-be03-a406b9adb9f4). No specific patch or mitigation details are detailed in the available CVE information.

EU & UK References

Vulnerability details

In version v0.3.10 of open-webui/open-webui, the `api/v1/utils/pdf` endpoint lacks authentication mechanisms, allowing unauthenticated attackers to access the PDF generation service. This vulnerability can be exploited by sending a POST request with an excessively large payload, potentially leading to server resource…

more

exhaustion and denial of service (DoS). Additionally, unauthorized users can misuse the endpoint to generate PDFs without verification, resulting in service misuse and potential operational and financial impacts.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Unauthenticated access to the public-facing PDF generation API endpoint (T1190) enables exploitation, and large payloads can cause resource exhaustion for application denial of service (T1499.004).

CVEs Like This One

CVE-2026-45399Same product: Openwebui Open Webui
CVE-2024-7036Same product: Openwebui Open Webui
CVE-2024-7806Same product: Openwebui Open Webui
CVE-2024-7959Same product: Openwebui Open Webui
CVE-2024-7034Same product: Openwebui Open Webui
CVE-2024-7044Same product: Openwebui Open Webui
CVE-2026-45350Same product: Openwebui Open Webui
CVE-2026-34222Same product: Openwebui Open Webui
CVE-2024-7043Same product: Openwebui Open Webui
CVE-2026-44567Same product: Openwebui Open Webui

Affected Assets

openwebui
open webui
0.3.10

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

AC-14 requires identification and limitation of user actions permitted without authentication, directly preventing unauthenticated access to the PDF generation endpoint.

prevent

AC-3 enforces approved authorizations for access to system resources, mitigating unauthorized use of the API endpoint for PDF generation and misuse.

preventdetect

SC-5 protects against denial-of-service attacks by safeguarding against resource exhaustion from large payloads sent to the unauthenticated endpoint.

References