CVE-2024-8053
Published: 20 March 2025
Description
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Security Summary
CVE-2024-8053 is a missing authentication vulnerability (CWE-306) affecting version v0.3.10 of open-webui/open-webui, specifically the `api/v1/utils/pdf` endpoint. This flaw allows unauthenticated attackers to access the PDF generation service without any verification mechanisms. The issue has a CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H), highlighting its high severity due to network accessibility and low complexity.
Unauthenticated remote attackers can exploit this vulnerability by sending POST requests to the endpoint. A particularly large payload can cause server resource exhaustion, leading to denial-of-service (DoS) conditions. Additionally, attackers can misuse the service to generate PDFs without authorization, potentially resulting in service misuse and operational or financial impacts for the affected deployment.
The vulnerability was reported via a bounty on Huntr.com (https://huntr.com/bounties/ebe8c1fa-113b-4df9-be03-a406b9adb9f4). No specific patch or mitigation details are detailed in the available CVE information.
Details
- CWE(s)
Affected Products
AI Security Analysis
- AI Category
- Enterprise AI Assistants
- Risk Domain
- Other ATLAS/OWASP Terms
- OWASP Top 10 for LLMs 2025
- None mapped
- MITRE ATLAS Techniques
- None mapped
- Classification Reason
- Open WebUI is a self-hosted web interface for running and interacting with Large Language Models (LLMs), classified as an enterprise AI assistant platform. The vulnerability affects its API endpoint, and it was reported on an AI/ML bug bounty platform.
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Unauthenticated access to the public-facing PDF generation API endpoint (T1190) enables exploitation, and large payloads can cause resource exhaustion for application denial of service (T1499.004).