CVE-2024-7806
published 2025-03-20CVE-2024-7806: A vulnerability in open-webui/open-webui versions <= 0.3.8 allows remote code execution by non-admin users via Cross-Site Request Forgery (CSRF). The…
PriorityP348high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
EPSS
0.44%
35.5th percentile
A vulnerability in open-webui/open-webui versions <= 0.3.8 allows remote code execution by non-admin users via Cross-Site Request Forgery (CSRF). The application uses cookies with the SameSite attribute set to lax for authentication and lacks CSRF tokens. This allows an attacker to craft a malicious HTML that, when accessed by a victim, can modify the Python code of an existing pipeline and execute arbitrary code with the victim's privileges.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| open-webui | open-webui | >= 0 < 0.3.33 | 0.3.33 |
| open-webui | open-webui_open-webui | unspecified – latest | — |
| openwebui | open_webui | <= 0.3.8 | — |
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv3.08.0HIGHCVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Open WebUI Cross-Site Request Forgery (CSRF) Vulnerability
ghsa·2025-03-20
CVE-2024-7806 [HIGH] CWE-352 Open WebUI Cross-Site Request Forgery (CSRF) Vulnerability
Open WebUI Cross-Site Request Forgery (CSRF) Vulnerability
A vulnerability in open-webui/open-webui versions <= 0.3.8 allows remote code execution by non-admin users via Cross-Site Request Forgery (CSRF). The application uses cookies with the SameSite attribute set to lax for authentication and lacks CSRF tokens. This allows an attacker to craft a malicious HTML that, when accessed by a victim, can modify the Python code of an existing pipeline and execute arbitrary code with the victim's privileges.
OSV
Open WebUI Cross-Site Request Forgery (CSRF) Vulnerability
osv·2025-03-20
CVE-2024-7806 [HIGH] Open WebUI Cross-Site Request Forgery (CSRF) Vulnerability
Open WebUI Cross-Site Request Forgery (CSRF) Vulnerability
A vulnerability in open-webui/open-webui versions <= 0.3.8 allows remote code execution by non-admin users via Cross-Site Request Forgery (CSRF). The application uses cookies with the SameSite attribute set to lax for authentication and lacks CSRF tokens. This allows an attacker to craft a malicious HTML that, when accessed by a victim, can modify the Python code of an existing pipeline and execute arbitrary code with the victim's privileges.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2025-03-20
Published