HIGH 7.6

GHSA-43g4-487m-5q6m

Open WebUI Vulnerable to a Session Fixation Attack

Details

A vulnerability in open-webui/open-webui version 0.3.8 allows an attacker with a user-level account to perform a session fixation attack. The session cookie for all users is set with the default `SameSite=Lax` and does not have the `Secure` flag enabled, allowing the session cookie to be sent over HTTP to a cross-origin domain. An attacker can exploit this by embedding a malicious markdown image in a chat, which, when viewed by an administrator, sends the admin's session cookie to the attacker's server. This can lead to a stealthy administrator account takeover, potentially resulting in remote code execution (RCE) due to the elevated privileges of administrator accounts.

Are you affected?

Enter the version of the package you're using.

Affected packages

PyPI / open-webui

Introduced in: 0

No fixed version published yet for open-webui (pip). Pin to a known-safe version or switch to an alternative.

References

https://nvd.nist.gov/vuln/detail/CVE-2024-7053 [ADVISORY]
https://github.com/open-webui/open-webui [PACKAGE]
https://huntr.com/bounties/947f8191-0abf-4adf-b7c4-d4c19683aba2 [WEB]