CVE-2024-7806 HIGH

CVE-2024-7806: Remote Code Execution by Non-Admin Users via CSRF in open-webui/open-webui

Vendor Open-Webui
Product open-webui/open-webui
Weakness CWE-352 · CSRF
Published March 20, 2025
Last update March 20, 2025

CVSS base score

8.0/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction Required
Confidentiality High
Integrity High

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

A vulnerability in open-webui/open-webui versions <= 0.3.8 allows remote code execution by non-admin users via Cross-Site Request Forgery (CSRF). The application uses cookies with the SameSite attribute set to lax for authentication and lacks CSRF tokens. This allows an attacker to craft a malicious HTML that, when accessed by a victim, can modify the Python code of an existing pipeline and execute arbitrary code with the victim's privileges.

Key dates

02Disclosure timeline

March 20, 2025 CVE published
March 20, 2025 Record updated