Session Fixation Vulnerability in Open-WebUI by Open-WebUI
CVE-2024-7053

9CRITICAL

Key Information:

Vendor: Open-webui
Status: Open-webui/open-webui
Vendor: CVE Published:; 20 March 2025

What is CVE-2024-7053?

A vulnerability in Open-WebUI version 0.3.8 allows an attacker with user-level access to execute a session fixation attack. The default setting of the session cookie lacks the Secure flag and is configured with SameSite=Lax, enabling the cookie to be sent over HTTP to a different domain. By inserting a malicious markdown image in a chat, an attacker may target an administrator; when viewed, the administrator's session cookie is transmitted to the attacker's server. This vulnerability presents a significant risk as it may lead to unauthorized access to an admin account and could ultimately allow for remote code execution due to the privileged access of administrative roles.

Affected Version(s)

open-webui/open-webui <= unspecified

References

https://huntr.com/bounties/947f8191-0abf-4adf-b7c4-d4c196...

CVSS V3.1

Score:

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

CVSS V3.0

Score:

7.6

Severity:

HIGH

Confidentiality:

High

Integrity:

Low

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 20, 2025
Vulnerability Reserved
Jul 23, 2024

Open-webui

What is CVE-2024-7053?

Affected Version(s)

References

CVSS V3.1

CVSS V3.0

Timeline