
We found results for “”
CVE-2024-7806
Good to know:

Date: March 20, 2025
A vulnerability in open-webui/open-webui versions <= 0.3.8 allows remote code execution by non-admin users via Cross-Site Request Forgery (CSRF). The application uses cookies with the SameSite attribute set to lax for authentication and lacks CSRF tokens. This allows an attacker to craft a malicious HTML that, when accessed by a victim, can modify the Python code of an existing pipeline and execute arbitrary code with the victim's privileges.
Severity Score
Related Resources (7)
Severity Score
Weakness Type (CWE)
Cross-Site Request Forgery (CSRF)
CWE-352Top Fix

Upgrade Version
Upgrade to version open-webui - 0.3.33;open-webui - 0.3.33;https://github.com/open-webui/open-webui.git - v0.3.33
CVSS v3.1
Base Score: |
|
---|---|
Attack Vector (AV): | NETWORK |
Attack Complexity (AC): | LOW |
Privileges Required (PR): | NONE |
User Interaction (UI): | REQUIRED |
Scope (S): | UNCHANGED |
Confidentiality (C): | HIGH |
Integrity (I): | HIGH |
Availability (A): | HIGH |