CVE-2024-7053

CVE-2024-7053 is a vulnerability in open-webui/open-webui version 0.3.8 that enables a session fixation attack due to improper session cookie configuration. The session cookie for all users uses the default SameSite=Lax attribute without the Secure flag, permitting it to be transmitted over HTTP to cross-origin domains. This misconfiguration, linked to CWE-79, allows attackers to steal session cookies through crafted content.

An attacker with a user-level account can exploit this by embedding a malicious markdown image in a chat. When an administrator views the chat, the image triggers a request that sends the admin's session cookie to the attacker's server. This enables stealthy takeover of the administrator account, which carries elevated privileges and could lead to remote code execution (RCE). The vulnerability has a CVSS v3.1 score of 9.0 (AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H), requiring low privileges, network access, and user interaction.

The primary advisory is documented in a Huntr bounty report at https://huntr.com/bounties/947f8191-0abf-4adf-b7c4-d4c19683aba2, which details the issue but does not specify patch availability or mitigation steps in the provided information.

Open WebUI is a web interface for self-hosted large language models, making this vulnerability relevant to AI/ML deployments where administrative access could expose model configurations or enable broader system compromise. No real-world exploitation has been reported as of the CVE publication on 2025-03-20.