Cyber Posture

CVE-2024-7036

HighPublic PoC

Published: 20 March 2025

Published
20 March 2025
Modified
18 July 2025
KEV Added
Patch
CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0185 83.1th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Description

Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.

Security Summary

CVE-2024-7036 is a denial-of-service vulnerability in open-webui/open-webui version 0.3.8. It allows an unauthenticated attacker to sign up using excessively large text in the 'name' field, which causes the Admin panel to become unresponsive. Authenticated users with low privileges can also trigger the same condition. The issue stems from CWE-400 (Uncontrolled Resource Consumption) and carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), reflecting high availability impact without compromising confidentiality or integrity.

Unauthenticated attackers can exploit this remotely over the network with low complexity and no privileges required, simply by attempting to create an account with oversized input in the name field. Low-privilege authenticated users can achieve the same effect through similar means. Exploitation renders the Admin panel unusable, blocking administrators from essential user management actions like deleting, editing, or adding users.

Mitigation details are available in the advisory published on Huntr at https://huntr.com/bounties/ba62d093-ab27-48fa-9c53-0602c8cdc48a.

Details

CWE(s)
CWE-400

Affected Products

openwebui
open webui
0.3.8

AI Security Analysis

AI Category
Enterprise AI Assistants
Risk Domain
Other ATLAS/OWASP Terms
OWASP Top 10 for LLMs 2025
None mapped
MITRE ATLAS Techniques
None mapped
Classification Reason
Open WebUI is a self-hosted web interface for LLMs and generative AI models, fitting the Enterprise AI Assistants category as a platform for deploying and managing AI assistants. The vulnerability is listed on an AI/ML bug bounty platform (huntr).

MITRE ATT&CK Enterprise Techniques

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
attack.mitre.org →
Why these techniques?

The vulnerability enables denial of service on the Admin panel via exploitation of the application with excessively large input in the signup name field, rendering user management functions unresponsive.

References