We found results for “”
CVE-2024-7806
Good to know:
Date: March 20, 2025
A vulnerability in open-webui/open-webui versions <= 0.3.8 allows remote code execution by non-admin users via Cross-Site Request Forgery (CSRF). The application uses cookies with the SameSite attribute set to lax for authentication and lacks CSRF tokens. This allows an attacker to craft a malicious HTML that, when accessed by a victim, can modify the Python code of an existing pipeline and execute arbitrary code with the victim's privileges.
Severity Score
Related Resources (7)
Severity Score
Weakness Type (CWE)
Cross-Site Request Forgery (CSRF)
CWE-352Top Fix
Upgrade Version
Upgrade to version open-webui - 0.3.33;open-webui - 0.3.33;https://github.com/open-webui/open-webui.git - v0.3.33
CVSS v3.1
| Base Score: |
|
|---|---|
| Attack Vector (AV): | NETWORK |
| Attack Complexity (AC): | LOW |
| Privileges Required (PR): | NONE |
| User Interaction (UI): | REQUIRED |
| Scope (S): | UNCHANGED |
| Confidentiality (C): | HIGH |
| Integrity (I): | HIGH |
| Availability (A): | HIGH |
Vulnerabilities
Projects
Contact Us


