GHSA-85jc-8h5p-8vw8

Source

https://github.com/advisories/GHSA-85jc-8h5p-8vw8

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/03/GHSA-85jc-8h5p-8vw8/GHSA-85jc-8h5p-8vw8.json

JSON Data

https://api.test.osv.dev/v1/vulns/GHSA-85jc-8h5p-8vw8

Aliases

CVE-2024-7806

Published

2025-03-20T12:32:46Z

Modified

2025-03-21T21:56:12.093044Z

Severity

8.0 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H CVSS Calculator

Summary

Open WebUI Cross-Site Request Forgery (CSRF) Vulnerability

Details

A vulnerability in open-webui/open-webui versions <= 0.3.8 allows remote code execution by non-admin users via Cross-Site Request Forgery (CSRF). The application uses cookies with the SameSite attribute set to lax for authentication and lacks CSRF tokens. This allows an attacker to craft a malicious HTML that, when accessed by a victim, can modify the Python code of an existing pipeline and execute arbitrary code with the victim's privileges.

Database specific

{
    "github_reviewed_at": "2025-03-21T21:18:09Z",
    "severity": "HIGH",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-352"
    ],
    "nvd_published_at": "2025-03-20T10:15:37Z"
}

References

Affected packages

PyPI / open-webui

Package

Name: open-webui; View open source insights on deps.dev
Purl: pkg:pypi/open-webui

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.3.33

Affected versions

0.*

0.1.124

0.1.125

0.2.0

0.2.1

0.2.2

0.2.3

0.2.4

0.2.5

0.3.0

0.3.1

0.3.2

0.3.3

0.3.4

0.3.5

0.3.6

0.3.7

0.3.8

0.3.9

0.3.10

0.3.12

0.3.13

0.3.14

0.3.15

0.3.16

0.3.17.dev2

0.3.17.dev3

0.3.17.dev4

0.3.17.dev5

0.3.17

0.3.18

0.3.19

0.3.20

0.3.21

0.3.22

0.3.23

0.3.24

0.3.25

0.3.26

0.3.27.dev1

0.3.27.dev2

0.3.27.dev3

0.3.27

0.3.28

0.3.29

0.3.30.dev1

0.3.30.dev2

0.3.30

0.3.31.dev1

0.3.31

0.3.32

0.3.33.dev1