Description

A vulnerability in open-webui/open-webui versions <= 0.3.8 allows remote code execution by non-admin users via Cross-Site Request Forgery (CSRF). The application uses cookies with the SameSite attribute set to lax for authentication and lacks CSRF tokens. This allows an attacker to craft a malicious HTML that, when accessed by a victim, can modify the Python code of an existing pipeline and execute arbitrary code with the victim's privileges.

INFO

Published Date :

2025-03-20T10:11:05.970Z

Last Modified :

2025-03-20T15:21:35.392Z

Source :

@huntr_ai
AFFECTED PRODUCTS

The following products are affected by CVE-2024-7806 vulnerability.

Vendors Products
Openwebui
  • Open Webui
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2024-7806.

URL Resource
https://huntr.com/bounties/9350a68d-5f33-4b3d-988b-81e778160ab8 cve-icon cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact
Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact