CVE-2024-7806
Published: 20 March 2025
Summary
CVE-2024-7806 is a high-severity CSRF (CWE-352) vulnerability in Openwebui Open Webui. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 17.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
This vulnerability is AI-related — categorised as Enterprise AI Assistants; in the Other ATLAS/OWASP Terms risk domain.
The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Protects session authenticity against CSRF attacks by requiring mechanisms like tokens or strict cookie policies to validate cross-site requests.
Mandates validation of information inputs, including CSRF tokens, to block forged requests that modify application pipelines.
Enforces secure configuration settings for authentication cookies, such as SameSite=Strict, to limit automatic inclusion in cross-site requests.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE-2024-7806 is a CSRF vulnerability in a public-facing web application (T1190) that enables attackers to trick authenticated users into modifying Python pipeline code for arbitrary remote code execution via Python interpreter (T1059.006).
NVD Description
A vulnerability in open-webui/open-webui versions <= 0.3.8 allows remote code execution by non-admin users via Cross-Site Request Forgery (CSRF). The application uses cookies with the SameSite attribute set to lax for authentication and lacks CSRF tokens. This allows an attacker…
more
to craft a malicious HTML that, when accessed by a victim, can modify the Python code of an existing pipeline and execute arbitrary code with the victim's privileges.
Deeper analysisAI
CVE-2024-7806 is a Cross-Site Request Forgery (CSRF) vulnerability, classified under CWE-352, affecting open-webui/open-webui versions up to and including 0.3.8. The issue stems from the application's use of authentication cookies with the SameSite attribute set to Lax, combined with the absence of CSRF tokens. This flaw enables remote code execution (RCE) when exploited, as demonstrated by its CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), indicating high severity with network accessibility, low attack complexity, no required privileges, and user interaction needed for high impacts across confidentiality, integrity, and availability.
An attacker can exploit this vulnerability without authentication by crafting a malicious HTML page. When a victim user—potentially a non-admin—visits the attacker's page (for example, via a phishing link or malicious website), the browser automatically sends a CSRF request using the victim's session cookies. This request modifies the Python code of an existing pipeline within the application, allowing the execution of arbitrary code under the victim's privileges.
For mitigation details, refer to the primary advisory on the Huntr bounty page at https://huntr.com/bounties/9350a68d-5f33-4b3d-988b-81e778160ab8, which reported the issue. Security practitioners should upgrade to a patched version beyond 0.3.8 if available and implement CSRF protections such as tokens or stricter SameSite cookie policies in similar applications.
Details
- CWE(s)
Affected Products
AI Security AnalysisAI
- AI Category
- Enterprise AI Assistants
- Risk Domain
- Other ATLAS/OWASP Terms
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Open-WebUI is a user-friendly web interface for LLMs and AI models (e.g., Ollama, OpenAI-compatible), classified as an Enterprise AI Assistant platform. The CVE is listed on an AI/ML bug bounty site (huntr), confirming AI relevance.