Open-WebUI Remote Code Execution Vulnerability via Cross-Site Request Forgery

Vulnerability

A remote code execution vulnerability has been identified in Open-WebUI versions through 0.3.8. This issue allows non-admin users to execute arbitrary code by exploiting Cross-Site Request Forgery (CSRF) vulnerabilities. The application uses cookies for authentication with the SameSite attribute set to lax, and it lacks CSRF tokens. This combination enables an attacker to create a malicious HTML document that, when opened by a victim, can alter the Python code of an existing pipeline and execute arbitrary code with the victim's privileges.

Impact

Exploitation of this vulnerability allows for remote code execution on the affected system, executed with the privileges of the user who was targeted by the CSRF attack.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

10.0

exploitability

5.8

remediation

0.0

relevance

0.0

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

10.0

exploitability

5.8

remediation

0.0

relevance

0.0

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Open-WebUI Remote Code Execution Vulnerability via Cross-Site Request Forgery

Vulnerability

Impact

Affected Products

open-webui/open-webui

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating