CVE-2024-7806

High CVSS: 8.8

A vulnerability in open-webui/open-webui versions <= 0.3.8 allows remote code execution by non-admin users via Cross-Site Request Forgery (CSRF). The application uses cookies with the SameSite attribute set to lax for authentication and lacks CSRF tokens. This allows an attacker to craft a malicious HTML that, when accessed by a victim, can modify the Python code of an existing pipeline and execute arbitrary code with the victim's privileges.

Vendor

Openwebui

Product

Open Webui

CWE

CWE-352

Yayın Tarihi

2025-03-20 10:15:37

Güncelleme

2025-03-26 16:46:35

Source Identifier

security@huntr.dev

KEV Date Added

Kategoriler

CWE-352 Open Webui HIGH Openwebui 2025

Referanslar

https://huntr.com/bounties/9350a68d-5f33-4b3d-988b-81e778160ab8 https://huntr.com/bounties/9350a68d-5f33-4b3d-988b-81e778160ab8

Benzer Kayıtlar

Medium

CVE-2026-28786

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to version 0.8.…

High

CVE-2026-28788

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to version 0.8.…

Medium

CVE-2026-29070

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to version 0.8.…

Low

CVE-2026-29071

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to version 0.8.…

High

CVE-2026-26192

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to version 0.7.…

High

CVE-2026-26193

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to version 0.6.…