Skip to content

Commit 8c2b670

Browse files
committed
Add vendor dispositions for five huntr CVEs
Publishes rejected, out-of-scope dispositions for CVE-2024-7033, 7034, 7038, 7039 and 7959. All are admin-gated endpoints in the reported version (v0.3.8) and today, verified against the code. Each explains why the behaviour is out of scope: admin actions (Rule 9), intended Tools and Functions execution (Rule 10), inflated PR:L severity on 7039 and 7959 (Rule 8), and the CVE-2025-29446 precedent for the OpenAI-URL SSRF in 7959. Each carries a timeline recording the disposition's publication and the dispute raised with the issuing CNA. The index gains a Vendor Disposition column label and an Official Resolution column (withdrawn records shown as a badge), with row order matching the sidebar.
1 parent 9c5dc87 commit 8c2b670

6 files changed

Lines changed: 384 additions & 11 deletions

File tree

Lines changed: 69 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,69 @@
1+
---
2+
sidebar_position: 800
3+
title: "CVE-2024-7033"
4+
---
5+
6+
# CVE-2024-7033
7+
8+
| | |
9+
| :--- | :--- |
10+
| **CVE ID** | [CVE-2024-7033](https://www.cve.org/CVERecord?id=CVE-2024-7033) |
11+
| **Vendor Disposition** | Rejected, out of scope |
12+
| **Published** | 2025-03-20 |
13+
| **Issuing CNA** | huntr / Protect AI (from a [bounty report](https://huntr.com/bounties/7078261f-8414-4bb7-9d72-a2a4d8bfd5d1)) |
14+
| **Claimed Severity** | Medium (CVSS 6.5, CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H) |
15+
16+
---
17+
18+
## Timeline
19+
20+
This CVE is disputed. The assessment below is Open WebUI's position.
21+
22+
| Date | Event |
23+
| :--- | :--- |
24+
| 2025-03-20 | huntr / Protect AI publishes the CVE. |
25+
| 2026-07-08 | Open WebUI publishes this disposition, rejecting the report as out of scope. |
26+
| 2026-07-08 | Open WebUI contacts huntr / Protect AI directly to dispute the record. |
27+
28+
As of 2026-07-08, the dispute has been raised with the issuing CNA (huntr / Protect AI) and the CVE record has not been amended. This disposition stands as Open WebUI's official assessment.
29+
30+
---
31+
32+
## What the CVE Claims
33+
34+
The report, titled "Arbitrary File Write leading into Remote Code Execution when deployed in Windows", concerns the model-download endpoint. It explains that the endpoint downloads a file from a URL on an allowed host (`huggingface.co`), derives the destination filename from the URL path by splitting on `/` only, and writes it to `file_path = f"{UPLOAD_DIR}/{file_name}"`. Because backslashes are not handled, on a Windows host an administrator can submit a URL whose path contains `\..\` sequences (the proof of concept uses `https://huggingface.co/.../main/\..\..\..\..\..\WINDOWS\Temp\pwned`) and have the download written outside `UPLOAD_DIR` to an arbitrary path. The report argues this can overwrite system files and be escalated to remote code execution. It is classified as CWE-29 (path traversal, `\..\filename`).
35+
36+
---
37+
38+
## Why This Is Out of Scope
39+
40+
The endpoint, `POST /ollama/models/download` (the `download_model` handler), is gated by `Depends(get_admin_user)`. Only an administrator can call it. This was true in the reported version (v0.3.8) and remains true today, and it applies only to Windows deployments. The report's own CVSS vector scores this as **PR:H** (high privileges required): the party in the scenario is an administrator.
41+
42+
### What This Actually Is
43+
44+
The traversal is in the URL the administrator supplies, not in a model that acts on its own. The host allowlist checks only the URL prefix (`https://huggingface.co/`), and the filename is taken from the URL path split on `/`, so backslash sequences placed after the allowed prefix survive into the filename and, on Windows, resolve as path separators. The bytes written come from whatever repository the administrator points the request at (the proof of concept uses a repository the reporter created for the purpose). In plain terms, an administrator crafts a request that writes chosen content to a chosen path on the server they operate. A normal model download from a normal URL writes into `UPLOAD_DIR` as intended; the escape happens only when the administrator places traversal sequences in the URL themselves.
45+
46+
### An Administrator Already Has This Capability
47+
48+
An administrator operates the server and already has arbitrary file write and arbitrary code execution on it, directly (shell, container or host access) and through the application: installing Tools and Functions runs arbitrary Python on the server by design (see [Rule 10](/security/security-policy#reporting-guidelines)). Writing a file to an arbitrary path through a crafted download URL grants an administrator nothing they cannot already do in one line, and the report's escalation to "remote code execution" is circular, because an administrator already has code execution on the instance as a designed feature. Even in the variant where an administrator is tricked into submitting a crafted URL, that is social engineering of an administrator, which is out of scope, and it still yields only what the administrator already controls. There is no path by which an unprivileged user reaches this endpoint.
49+
50+
### Applicable Security Policy Rules
51+
52+
- **[Rule 9](/security/security-policy#reporting-guidelines):** The action requires an administrator, or, in the tricked-admin variant, social engineering of an administrator. Administrators have full system control, including server-level file access and code execution.
53+
- **[Rule 10](/security/security-policy#reporting-guidelines):** The "remote code execution" the report escalates to is functionality administrators already have. Running code on the server via Tools and Functions is intended behavior.
54+
- **[Rule 7](/security/security-policy#reporting-guidelines):** The report does not account for Open WebUI's self-hosted, role-based architecture, in which administrators are trusted operators of the server.
55+
56+
---
57+
58+
## Impact to Users
59+
60+
**No action required.** The endpoint is reachable only by administrators, applies only to Windows deployments, and grants no capability an administrator does not already have on the server they operate. There is no exposure to unprivileged users.
61+
62+
---
63+
64+
## References
65+
66+
- [CVE-2024-7033 on CVE.org](https://www.cve.org/CVERecord?id=CVE-2024-7033)
67+
- [NVD Entry](https://nvd.nist.gov/vuln/detail/CVE-2024-7033)
68+
- [huntr bounty report](https://huntr.com/bounties/7078261f-8414-4bb7-9d72-a2a4d8bfd5d1)
69+
- [Open WebUI Security Policy](../security-policy)
Lines changed: 67 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,67 @@
1+
---
2+
sidebar_position: 900
3+
title: "CVE-2024-7034"
4+
---
5+
6+
# CVE-2024-7034
7+
8+
| | |
9+
| :--- | :--- |
10+
| **CVE ID** | [CVE-2024-7034](https://www.cve.org/CVERecord?id=CVE-2024-7034) |
11+
| **Vendor Disposition** | Rejected, out of scope |
12+
| **Published** | 2025-03-20 |
13+
| **Issuing CNA** | huntr / Protect AI (from a [bounty report](https://huntr.com/bounties/711beada-10fe-4567-9278-80a689da8613)) |
14+
| **Claimed Severity** | Medium (CVSS 6.5, CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H) |
15+
16+
---
17+
18+
## Timeline
19+
20+
This CVE is disputed. The assessment below is Open WebUI's position.
21+
22+
| Date | Event |
23+
| :--- | :--- |
24+
| 2025-03-20 | huntr / Protect AI publishes the CVE. |
25+
| 2026-07-08 | Open WebUI publishes this disposition, rejecting the report as out of scope. |
26+
| 2026-07-08 | Open WebUI contacts huntr / Protect AI directly to dispute the record. |
27+
28+
As of 2026-07-08, the dispute has been raised with the issuing CNA (huntr / Protect AI) and the CVE record has not been amended. This disposition stands as Open WebUI's official assessment.
29+
30+
---
31+
32+
## What the CVE Claims
33+
34+
The report is titled "Remote Code Execution due to Arbitrary File Write". It claims that `POST /ollama/models/upload` builds its destination path as `file_path = f"{UPLOAD_DIR}/{file.filename}"` without sanitizing the user-supplied filename, so an uploader can set `file.filename` to a directory-traversal sequence such as `../../../../../../tmp/pwned` and write outside the upload directory. The report then argues that overwriting configuration files or binaries this way can be escalated to remote code execution. It is classified as CWE-22 (path traversal).
35+
36+
---
37+
38+
## Why This Is Out of Scope
39+
40+
The endpoint, `POST /ollama/models/upload` (the `upload_model` handler), is gated by `Depends(get_admin_user)`. Only an administrator can call it. This was true in the reported version (v0.3.8) and remains true today. The report's own CVSS vector scores this as **PR:H** (high privileges required): the uploader is an administrator.
41+
42+
### An Administrator Can Already Write Any File and Run Any Code
43+
44+
The finding grants an administrator no capability they do not already have. An administrator operates the server. In every supported deployment they have server access, whether explicit (shell, container or host access) or implicit through the application itself: administrators can install Tools and Functions, which execute arbitrary Python on the server by design (see [Rule 10](/security/security-policy#reporting-guidelines)). That is already arbitrary file write and arbitrary code execution, directly and by intent.
45+
46+
Against that baseline, a traversal in an admin-only upload endpoint that lets an administrator write a file outside `UPLOAD_DIR` is not a new capability. It is a longer route to something an administrator can already do in one line. The report's escalation to "remote code execution" is circular: an administrator already has code execution on the instance as a designed feature, so reaching it through an arbitrary file write changes nothing about the trust model. There is no path by which an unprivileged user reaches this endpoint.
47+
48+
### Applicable Security Policy Rules
49+
50+
- **[Rule 9](/security/security-policy#reporting-guidelines):** The action requires an administrator. Administrators have full system control, including server-level file access and code execution, and are expected to understand the implications of their actions.
51+
- **[Rule 10](/security/security-policy#reporting-guidelines):** The "remote code execution" the report escalates to is functionality administrators already have. Running code on the server via Tools and Functions is intended behavior.
52+
- **[Rule 7](/security/security-policy#reporting-guidelines):** The report does not account for Open WebUI's self-hosted, role-based architecture, in which administrators are trusted operators of the server.
53+
54+
---
55+
56+
## Impact to Users
57+
58+
**No action required.** The endpoint is reachable only by administrators, who already have full control of the server and its filesystem through supported functionality. There is no exposure to unprivileged users.
59+
60+
---
61+
62+
## References
63+
64+
- [CVE-2024-7034 on CVE.org](https://www.cve.org/CVERecord?id=CVE-2024-7034)
65+
- [NVD Entry](https://nvd.nist.gov/vuln/detail/CVE-2024-7034)
66+
- [huntr bounty report](https://huntr.com/bounties/711beada-10fe-4567-9278-80a689da8613)
67+
- [Open WebUI Security Policy](../security-policy)
Lines changed: 69 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,69 @@
1+
---
2+
sidebar_position: 950
3+
title: "CVE-2024-7038"
4+
---
5+
6+
# CVE-2024-7038
7+
8+
| | |
9+
| :--- | :--- |
10+
| **CVE ID** | [CVE-2024-7038](https://www.cve.org/CVERecord?id=CVE-2024-7038) |
11+
| **Vendor Disposition** | Rejected, out of scope |
12+
| **Published** | 2024-10-09 |
13+
| **Issuing CNA** | huntr / Protect AI (from a [bounty report](https://huntr.com/bounties/f42cf72a-8015-44a6-81a9-c6332ef05afc)) |
14+
| **Claimed Severity** | Low (CVSS 2.7, CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N) |
15+
16+
---
17+
18+
## Timeline
19+
20+
This CVE is disputed. The assessment below is Open WebUI's position.
21+
22+
| Date | Event |
23+
| :--- | :--- |
24+
| 2024-10-09 | huntr / Protect AI publishes the CVE. |
25+
| 2026-07-08 | Open WebUI publishes this disposition, rejecting the report as out of scope. |
26+
| 2026-07-08 | Open WebUI contacts huntr / Protect AI directly to dispute the record. |
27+
28+
As of 2026-07-08, the dispute has been raised with the issuing CNA (huntr / Protect AI) and the CVE record has not been amended. This disposition stands as Open WebUI's official assessment.
29+
30+
---
31+
32+
## What the CVE Claims
33+
34+
The report, titled "File Name enumeration leads to information disclosure", concerns the embedding-model update feature under admin settings. When an administrator submits an embedding model path (`POST /rag/api/v1/embedding/update`, the `embedding_model` field), the application tries to load it and returns a different error message depending on whether the path exists. The report states that an administrator can submit crafted paths such as `../../../../tmp/testing/test.txt` and, by observing which error comes back, determine whether arbitrary files exist and enumerate directories on the server. It is classified as CWE-209 (error message containing sensitive information).
35+
36+
---
37+
38+
## Why This Is Out of Scope
39+
40+
The endpoint, `POST /rag/api/v1/embedding/update` (the `update_embedding_config` handler), is gated by `Depends(get_admin_user)`. Only an administrator can call it. This was true in the reported version (v0.3.8) and remains true today. The report's own CVSS vector scores this as **PR:H** (high privileges required): the only party who can trigger these error messages is an administrator.
41+
42+
### An Administrator Inspecting Their Own Server Crosses No Boundary
43+
44+
The entire "disclosure" is an administrator learning whether a file exists on a server they fully operate. That is not a security boundary being crossed. It is the operator of a system observing the filesystem of that same system.
45+
46+
Administrators already have complete, direct access to that filesystem. In every supported deployment they have server access, whether explicit (shell, container or host access) or implicit through the application: administrators can install Tools and Functions, which execute arbitrary Python on the server by design (see [Rule 10](/security/security-policy#reporting-guidelines)), and can therefore list any directory and read any file outright, in one step. Against that, inferring one bit ("does this path exist?") from an error message discloses nothing new. It is a slower, weaker way to observe filesystem state the administrator already has full access to. There is only one party here, the administrator, and they already have all of it.
47+
48+
There is no path by which an unprivileged user reaches this endpoint.
49+
50+
### Applicable Security Policy Rules
51+
52+
- **[Rule 9](/security/security-policy#reporting-guidelines):** The action requires an administrator, inspecting a server they operate. Administrators have full system control, including direct filesystem access.
53+
- **[Rule 1](/security/security-policy#reporting-guidelines):** No security boundary is crossed. A vulnerability must cross at least one security boundary; an administrator observing the filesystem of a server they operate crosses none.
54+
- **[Rule 7](/security/security-policy#reporting-guidelines):** The report does not account for Open WebUI's self-hosted, role-based architecture, in which administrators are trusted operators with full server access.
55+
56+
---
57+
58+
## Impact to Users
59+
60+
**No action required.** The endpoint is reachable only by administrators, who already have full visibility of the server's filesystem through supported functionality. There is no exposure to unprivileged users.
61+
62+
---
63+
64+
## References
65+
66+
- [CVE-2024-7038 on CVE.org](https://www.cve.org/CVERecord?id=CVE-2024-7038)
67+
- [NVD Entry](https://nvd.nist.gov/vuln/detail/CVE-2024-7038)
68+
- [huntr bounty report](https://huntr.com/bounties/f42cf72a-8015-44a6-81a9-c6332ef05afc)
69+
- [Open WebUI Security Policy](../security-policy)

0 commit comments

Comments
 (0)