Denial of Service (DoS) in open-webui/open-webui
Description
In version v0.3.32 of open-webui/open-webui, the application allows users to submit large payloads in the email and password fields during the sign-in process due to the lack of character length validation on these inputs. This vulnerability can lead to a Denial of Service (DoS) condition when a user submits excessively large strings, exhausting server resources such as CPU, memory, and disk space, and rendering the service unavailable for legitimate users. This makes the server susceptible to resource exhaustion attacks without requiring authentication.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
In open-webui v0.3.32, missing input length validation on login fields allows unauthenticated resource exhaustion via large payloads, leading to DoS.
Vulnerability
Overview
CVE-2024-12534 identifies a denial-of-service vulnerability in open-webui version 0.3.32. The sign-in process lacks character length validation on the email and password fields, allowing an attacker to submit excessively large strings that consume server CPU, memory, and disk space [1][2].
Attack
Vector
The vulnerability is exploitable over the network without authentication, as the sign-in endpoint is publicly accessible. An attacker can craft HTTP requests containing oversized email or password values, causing the server to allocate disproportionate resources while handling the input [3]. The attack requires no special privileges, making the server susceptible to resource exhaustion from any network-accessible client [2].
Impact
Successful exploitation leads to a denial-of-service condition, where legitimate users are unable to access the service due to exhausted resources. The impact is limited to availability; no data confidentiality or integrity is compromised [2].
Mitigation
As of the advisory, a fix is not included in version 0.3.32. Users should monitor the open-webui repository for patched releases. No workaround is documented; limiting network access to trusted IPs may reduce exposure but does not eliminate the vulnerability [1][4].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
open-webuiPyPI | <= 0.3.32 | — |
open-webuinpm | <= 0.3.32 | — |
Affected products
4- Range: = v0.3.32
- ghsa-coords2 versions
<= 0.3.32+ 1 more
- (no CPE)range: <= 0.3.32
- (no CPE)range: <= 0.3.32
- open-webui/open-webui/open-webuiv5Range: unspecified
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4News mentions
0No linked articles in our index yet.