Remote Code Execution Vulnerability in Open-WebUI by Open-WebUI
CVE-2024-7806

8.8HIGH

Key Information:

Vendor: Open-webui
Status: Open-webui/open-webui
Vendor: CVE Published:; 20 March 2025

What is CVE-2024-7806?

A remote code execution vulnerability exists in Open-WebUI versions up to 0.3.8, where non-admin users can exploit the lack of CSRF tokens and improperly configured SameSite cookies. This vulnerability enables an attacker to craft malicious HTML that modifies existing Python code in the application, leading to arbitrary code execution under the victim's user privileges. Organizations using affected versions should take immediate action to implement proper CSRF protection and update to secure versions.

Affected Version(s)

open-webui/open-webui <= unspecified

References

https://huntr.com/bounties/9350a68d-5f33-4b3d-988b-81e778...

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

CVSS V3.0

Score:

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 20, 2025
Vulnerability Reserved
Aug 14, 2024

Open-webui

What is CVE-2024-7806?

Affected Version(s)

References

CVSS V3.1

CVSS V3.0

Timeline