HIGH 8.0

GHSA-85jc-8h5p-8vw8

Open WebUI Cross-Site Request Forgery (CSRF) Vulnerability

Details

A vulnerability in open-webui/open-webui versions <= 0.3.8 allows remote code execution by non-admin users via Cross-Site Request Forgery (CSRF). The application uses cookies with the SameSite attribute set to lax for authentication and lacks CSRF tokens. This allows an attacker to craft a malicious HTML that, when accessed by a victim, can modify the Python code of an existing pipeline and execute arbitrary code with the victim's privileges.

Are you affected?

Enter the version of the package you're using.

Affected packages

PyPI / open-webui

Introduced in: 0 Fixed in: 0.3.33

Fix pip install --upgrade 'open-webui>=0.3.33'

References

https://nvd.nist.gov/vuln/detail/CVE-2024-7806 [ADVISORY]
https://github.com/open-webui/open-webui/pull/6054 [WEB]
https://github.com/open-webui/open-webui/commit/7e253df17593bc12dc5cc89d28703675f05b0158 [WEB]
https://github.com/open-webui/open-webui [PACKAGE]
https://github.com/open-webui/open-webui/blob/1d20c27553f019477f01d7233ebe40b11d31e479/backend/main.py#L892-L920 [WEB]
https://huntr.com/bounties/9350a68d-5f33-4b3d-988b-81e778160ab8 [WEB]