AI Threat Alert AI Threat Alert

CVE-2024-7806: Open-WebUI: CSRF enables RCE via pipeline code injection

GHSA-85jc-8h5p-8vw8 HIGH PoC AVAILABLE CISA: ATTEND
Published March 20, 2025
CISO Take

Any organization running Open-WebUI as an internal AI interface should patch to 0.3.33 immediately — this is a no-interaction-on-the-server-side RCE reachable by tricking any authenticated user into visiting a malicious page. The blast radius is full code execution with the victim's privileges on your AI pipeline infrastructure. If you cannot patch today, restrict Open-WebUI access to trusted network segments and enforce browser-level controls to limit cross-origin requests.

Risk Assessment

High risk for organizations running Open-WebUI as a shared internal AI frontend. CVSS 8.0 reflects network-accessible exploitation with low privilege requirements — any authenticated user's session can be weaponized. The EPSS of 0.75% is likely underweighted given the trivial exploit complexity: CSRF against a SameSite=lax cookie is a well-documented attack pattern requiring no AI/ML expertise. The pipeline code modification primitive converts what could be a limited CSRF into full arbitrary code execution, dramatically elevating real-world impact beyond the base score suggests.

Affected Systems

Package Ecosystem Vulnerable Range Patched
open-webui pip < 0.3.33 0.3.33
135.3K Pushed 8d ago 58% patched ~9d to patch Full package profile →

Do you use open-webui? You're affected.

Severity & Risk

CVSS 3.1
8.0 / 10
EPSS
1.8%
chance of exploitation in 30 days
Higher than 83% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
CISA SSVC: Public PoC
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV AC PR UI S C I A
AV Network
AC Low
PR Low
UI Required
S Unchanged
C High
I High
A High

Recommended Action

5 steps

  1. PATCH

    Upgrade open-webui to >= 0.3.33 immediately.

  2. NETWORK ISOLATION

    Until patched, restrict Open-WebUI to internal-only access via VPN or allowlisted IPs — this eliminates the cross-origin request vector.

  3. SESSION HARDENING

    Verify your deployment sets SameSite=Strict on auth cookies post-upgrade; do not rely on lax.

  4. DETECTION

    Review pipeline modification logs for unexpected changes to Python code, particularly from non-admin accounts. Alert on pipeline edits outside normal business hours or from unusual source IPs.

  5. AUDIT

    Enumerate all Open-WebUI deployments in your environment — this is commonly spun up ad-hoc by teams experimenting with local LLMs.

CISA SSVC Assessment

Decision Attend
Exploitation poc
Automatable No
Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Code Execution Auth Bypass Framework API AML.T0011.003 AML.T0049 AML.T0050 AML.T0072 AML.T0078 AML.T0081

Compliance Impact

This CVE is relevant to:

EU AI Act
Art.15 - Accuracy, robustness and cybersecurity
ISO 42001
A.6.2.5 - AI system security A.6.2.6 - Protection of AI system resources
NIST AI RMF
GOVERN-1.7 - Processes and procedures are in place for decommissioning AI systems MANAGE-2.4 - Residual risks are managed
OWASP LLM Top 10
LLM06 - Excessive Agency

Frequently Asked Questions

What is CVE-2024-7806?

Any organization running Open-WebUI as an internal AI interface should patch to 0.3.33 immediately — this is a no-interaction-on-the-server-side RCE reachable by tricking any authenticated user into visiting a malicious page. The blast radius is full code execution with the victim's privileges on your AI pipeline infrastructure. If you cannot patch today, restrict Open-WebUI access to trusted network segments and enforce browser-level controls to limit cross-origin requests.

Is CVE-2024-7806 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2024-7806, increasing the risk of exploitation.

How to fix CVE-2024-7806?

1. PATCH: Upgrade open-webui to >= 0.3.33 immediately. 2. NETWORK ISOLATION: Until patched, restrict Open-WebUI to internal-only access via VPN or allowlisted IPs — this eliminates the cross-origin request vector. 3. SESSION HARDENING: Verify your deployment sets SameSite=Strict on auth cookies post-upgrade; do not rely on lax. 4. DETECTION: Review pipeline modification logs for unexpected changes to Python code, particularly from non-admin accounts. Alert on pipeline edits outside normal business hours or from unusual source IPs. 5. AUDIT: Enumerate all Open-WebUI deployments in your environment — this is commonly spun up ad-hoc by teams experimenting with local LLMs.

What systems are affected by CVE-2024-7806?

This vulnerability affects the following AI/ML architecture patterns: LLM serving frontends, AI pipeline orchestration, Multi-user AI gateways, Local LLM deployments, Agent frameworks.

What is the CVSS score for CVE-2024-7806?

CVE-2024-7806 has a CVSS v3.1 base score of 8.0 (HIGH). The EPSS exploitation probability is 1.78%.

Technical Details

NVD Description

A vulnerability in open-webui/open-webui versions <= 0.3.8 allows remote code execution by non-admin users via Cross-Site Request Forgery (CSRF). The application uses cookies with the SameSite attribute set to lax for authentication and lacks CSRF tokens. This allows an attacker to craft a malicious HTML that, when accessed by a victim, can modify the Python code of an existing pipeline and execute arbitrary code with the victim's privileges.

Exploitation Scenario

An attacker with a foothold in an organization (or conducting a targeted external attack) identifies an Open-WebUI instance accessible to the victim. They craft a malicious HTML page that silently sends a cross-site POST request to the Open-WebUI pipeline edit endpoint, injecting a Python reverse shell or credential harvester into an existing pipeline definition. The attacker social-engineers the victim — a developer or data scientist who regularly uses Open-WebUI — into visiting the page (phishing email, poisoned internal wiki link, Slack message). The victim's browser automatically sends their Open-WebUI session cookie with the request. The pipeline is silently modified, and on the next pipeline execution, the attacker's code runs with the victim's privileges — gaining access to LLM API keys, model files, and network-adjacent resources.

Weaknesses (CWE)

CWE-352 Cross-Site Request Forgery (CSRF) Primary

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

References

Timeline

Published
March 20, 2025
Last Modified
March 21, 2025
First Seen
March 24, 2026

Related Vulnerabilities

CRITICAL CVE-2026-44551 9.1

open-webui: LDAP auth bypass — full account takeover

Same package: open-webui
HIGH CVE-2025-64495 8.7

Open WebUI: XSS-to-RCE via malicious prompt injection

Same package: open-webui
HIGH CVE-2026-44552 8.7

open-webui: Redis cache poisoning enables cross-instance tool hijack

Same package: open-webui
HIGH CVE-2025-65958 8.5

open-webui: SSRF allows internal network access

Same package: open-webui
HIGH CVE-2024-7990 8.4

open-webui: Stored XSS enables admin session hijack

Same package: open-webui
Back to Threat Feed