CVE-2024-7806: Open WebUI CSRF enables RCE

CISO Take

Any organization running Open-WebUI as an internal AI interface should patch to 0.3.33 immediately — this is a no-interaction-on-the-server-side RCE reachable by tricking any authenticated user into visiting a malicious page. The blast radius is full code execution with the victim's privileges on your AI pipeline infrastructure. If you cannot patch today, restrict Open-WebUI access to trusted network segments and enforce browser-level controls to limit cross-origin requests.

What is the risk?

High risk for organizations running Open-WebUI as a shared internal AI frontend. CVSS 8.0 reflects network-accessible exploitation with low privilege requirements — any authenticated user's session can be weaponized. The EPSS of 0.75% is likely underweighted given the trivial exploit complexity: CSRF against a SameSite=lax cookie is a well-documented attack pattern requiring no AI/ML expertise. The pipeline code modification primitive converts what could be a limited CSRF into full arbitrary code execution, dramatically elevating real-world impact beyond the base score suggests.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
Open WebUI	pip	< 0.3.33	`0.3.33`
142.4K Pushed 4d ago 77% patched ~5d to patch Full package profile →

Do you use Open WebUI? You're affected.

How severe is it?

CVSS 3.1

8.0 / 10

EPSS

0.4%

chance of exploitation in 30 days

Higher than 35% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV Network

AC Low

PR Low

UI Required

S Unchanged

C High

I High

A High

What should I do?

5 steps

PATCH

Upgrade open-webui to >= 0.3.33 immediately.
NETWORK ISOLATION

Until patched, restrict Open-WebUI to internal-only access via VPN or allowlisted IPs — this eliminates the cross-origin request vector.
SESSION HARDENING

Verify your deployment sets SameSite=Strict on auth cookies post-upgrade; do not rely on lax.
DETECTION

Review pipeline modification logs for unexpected changes to Python code, particularly from non-admin accounts. Alert on pipeline edits outside normal business hours or from unusual source IPs.
AUDIT

Enumerate all Open-WebUI deployments in your environment — this is commonly spun up ad-hoc by teams experimenting with local LLMs.

What does CISA's SSVC say?

Decision Attend

Exploitation poc

Automatable No

Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Code Execution Auth Bypass Framework API AML.T0011.003 - Malicious Link AML.T0049 - Exploit Public-Facing Application AML.T0050 - Command and Scripting Interpreter AML.T0072 - Reverse Shell AML.T0078 - Drive-by Compromise AML.T0081 - Modify AI Agent Configuration

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Art.15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.2.5 - AI system security A.6.2.6 - Protection of AI system resources

NIST AI RMF

GOVERN-1.7 - Processes and procedures are in place for decommissioning AI systems MANAGE-2.4 - Residual risks are managed

OWASP LLM Top 10

LLM06 - Excessive Agency

Frequently Asked Questions

What is CVE-2024-7806?

Any organization running Open-WebUI as an internal AI interface should patch to 0.3.33 immediately — this is a no-interaction-on-the-server-side RCE reachable by tricking any authenticated user into visiting a malicious page. The blast radius is full code execution with the victim's privileges on your AI pipeline infrastructure. If you cannot patch today, restrict Open-WebUI access to trusted network segments and enforce browser-level controls to limit cross-origin requests.

Is CVE-2024-7806 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2024-7806, increasing the risk of exploitation.

How to fix CVE-2024-7806?

1. PATCH: Upgrade open-webui to >= 0.3.33 immediately. 2. NETWORK ISOLATION: Until patched, restrict Open-WebUI to internal-only access via VPN or allowlisted IPs — this eliminates the cross-origin request vector. 3. SESSION HARDENING: Verify your deployment sets SameSite=Strict on auth cookies post-upgrade; do not rely on lax. 4. DETECTION: Review pipeline modification logs for unexpected changes to Python code, particularly from non-admin accounts. Alert on pipeline edits outside normal business hours or from unusual source IPs. 5. AUDIT: Enumerate all Open-WebUI deployments in your environment — this is commonly spun up ad-hoc by teams experimenting with local LLMs.

What systems are affected by CVE-2024-7806?

This vulnerability affects the following AI/ML architecture patterns: LLM serving frontends, AI pipeline orchestration, Multi-user AI gateways, Local LLM deployments, Agent frameworks.

What is the CVSS score for CVE-2024-7806?

CVE-2024-7806 has a CVSS v3.1 base score of 8.0 (HIGH). The EPSS exploitation probability is 0.44%.

What is the AI security impact?

Affected AI Architectures

LLM serving frontendsAI pipeline orchestrationMulti-user AI gatewaysLocal LLM deploymentsAgent frameworks

MITRE ATLAS Techniques

AML.T0011.003 Malicious Link

AML.T0049 Exploit Public-Facing Application

AML.T0050 Command and Scripting Interpreter

AML.T0072 Reverse Shell

AML.T0078 Drive-by Compromise

AML.T0081 Modify AI Agent Configuration

Compliance Controls Affected

EU AI Act: Art.15

ISO 42001: A.6.2.5, A.6.2.6

NIST AI RMF: GOVERN-1.7, MANAGE-2.4

OWASP LLM Top 10: LLM06

What are the technical details?

Original Advisory

A vulnerability in open-webui/open-webui versions <= 0.3.8 allows remote code execution by non-admin users via Cross-Site Request Forgery (CSRF). The application uses cookies with the SameSite attribute set to lax for authentication and lacks CSRF tokens. This allows an attacker to craft a malicious HTML that, when accessed by a victim, can modify the Python code of an existing pipeline and execute arbitrary code with the victim's privileges.

Exploitation Scenario

An attacker with a foothold in an organization (or conducting a targeted external attack) identifies an Open-WebUI instance accessible to the victim. They craft a malicious HTML page that silently sends a cross-site POST request to the Open-WebUI pipeline edit endpoint, injecting a Python reverse shell or credential harvester into an existing pipeline definition. The attacker social-engineers the victim — a developer or data scientist who regularly uses Open-WebUI — into visiting the page (phishing email, poisoned internal wiki link, Slack message). The victim's browser automatically sends their Open-WebUI session cookie with the request. The pipeline is silently modified, and on the next pipeline execution, the attacker's code runs with the victim's privileges — gaining access to LLM API keys, model files, and network-adjacent resources.

Weaknesses (CWE)

CWE-352 Cross-Site Request Forgery (CSRF) Primary

CWE-352 — Cross-Site Request Forgery (CSRF): The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.

[Architecture and Design] Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid [REF-1482]. For example, use anti-CSRF packages such as the OWASP CSRFGuard. [REF-330] Another example is the ESAPI Session Management control, which includes a component for CSRF. [REF-45]
[Implementation] Ensure that the application is free of cross-site scripting issues (CWE-79), because most CSRF defenses can be bypassed using attacker-controlled script.

Source: MITRE CWE corpus.