CVE-2024-7959

High CVSS: 7.7

The `/openai/models` endpoint in open-webui/open-webui version 0.3.8 is vulnerable to Server-Side Request Forgery (SSRF). An attacker can change the OpenAI URL to any URL without checks, causing the endpoint to send a request to the specified URL and return the output. This vulnerability allows the attacker to access internal services and potentially gain command execution by accessing instance secrets.

Vendor

Openwebui

Product

Open Webui

CWE

CWE-918

Yayın Tarihi

2025-03-20 10:15:38

Güncelleme

2025-07-21 20:06:27

Source Identifier

security@huntr.dev

KEV Date Added

Kategoriler

CWE-918 Open Webui HIGH Openwebui 2025

Referanslar

https://huntr.com/bounties/3c8bea0a-d678-4d67-bb9c-2b5b610a2193

Benzer Kayıtlar

Medium

CVE-2026-28786

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to version 0.8.…

High

CVE-2026-28788

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to version 0.8.…

Medium

CVE-2026-29070

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to version 0.8.…

Low

CVE-2026-29071

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to version 0.8.…

High

CVE-2026-26192

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to version 0.7.…

High

CVE-2026-26193

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to version 0.6.…