CVE-2024-7806

CVE-2024-7806 is a Cross-Site Request Forgery (CSRF) vulnerability, classified under CWE-352, affecting open-webui/open-webui versions up to and including 0.3.8. The issue stems from the application's use of authentication cookies with the SameSite attribute set to Lax, combined with the absence of CSRF tokens. This flaw enables remote code execution (RCE) when exploited, as demonstrated by its CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), indicating high severity with network accessibility, low attack complexity, no required privileges, and user interaction needed for high impacts across confidentiality, integrity, and availability.

An attacker can exploit this vulnerability without authentication by crafting a malicious HTML page. When a victim user—potentially a non-admin—visits the attacker's page (for example, via a phishing link or malicious website), the browser automatically sends a CSRF request using the victim's session cookies. This request modifies the Python code of an existing pipeline within the application, allowing the execution of arbitrary code under the victim's privileges.

For mitigation details, refer to the primary advisory on the Huntr bounty page at https://huntr.com/bounties/9350a68d-5f33-4b3d-988b-81e778160ab8, which reported the issue. Security practitioners should upgrade to a patched version beyond 0.3.8 if available and implement CSRF protections such as tokens or stricter SameSite cookie policies in similar applications.