CVE-2024-8053
Published: 20 March 2025
Summary
CVE-2024-8053 is a high-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Openwebui Open Webui. Its CVSS base score is 8.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 26.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).
Deeper analysis
CVE-2024-8053 is a missing authentication vulnerability (CWE-306) affecting version v0.3.10 of open-webui/open-webui, specifically the `api/v1/utils/pdf` endpoint. This flaw allows unauthenticated attackers to access the PDF generation service without any verification mechanisms. The issue has a CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H), highlighting its high severity due to network accessibility and low complexity.
Unauthenticated remote attackers can exploit this vulnerability by sending POST requests to the endpoint. A particularly large payload can cause server resource exhaustion, leading to denial-of-service (DoS) conditions. Additionally, attackers can misuse the service to generate PDFs without authorization, potentially resulting in service misuse and operational or financial impacts for the affected deployment.
The vulnerability was reported via a bounty on Huntr.com (https://huntr.com/bounties/ebe8c1fa-113b-4df9-be03-a406b9adb9f4). No specific patch or mitigation details are detailed in the available CVE information.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-6921
Vulnerability details
In version v0.3.10 of open-webui/open-webui, the `api/v1/utils/pdf` endpoint lacks authentication mechanisms, allowing unauthenticated attackers to access the PDF generation service. This vulnerability can be exploited by sending a POST request with an excessively large payload, potentially leading to server resource…
more
exhaustion and denial of service (DoS). Additionally, unauthorized users can misuse the endpoint to generate PDFs without verification, resulting in service misuse and potential operational and financial impacts.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated access to the public-facing PDF generation API endpoint (T1190) enables exploitation, and large payloads can cause resource exhaustion for application denial of service (T1499.004).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
AC-14 requires identification and limitation of user actions permitted without authentication, directly preventing unauthenticated access to the PDF generation endpoint.
AC-3 enforces approved authorizations for access to system resources, mitigating unauthorized use of the API endpoint for PDF generation and misuse.
SC-5 protects against denial-of-service attacks by safeguarding against resource exhaustion from large payloads sent to the unauthenticated endpoint.