VulnerableCode Vulnerability Details

Staging Environment: Content and features may be unstable or change without notice.

Search for vulnerabilities

Vulnerability details: VCID-8qvj-xndv-v3ay

Essentials
Severities (19)
References (8)
Severity details (15)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-8qvj-xndv-v3ay
Aliases	CVE-2024-7806 GHSA-85jc-8h5p-8vw8
Summary	A vulnerability in open-webui/open-webui versions <= 0.3.8 allows remote code execution by non-admin users via Cross-Site Request Forgery (CSRF). The application uses cookies with the SameSite attribute set to lax for authentication and lacks CSRF tokens. This allows an attacker to craft a malicious HTML that, when accessed by a victim, can modify the Python code of an existing pipeline and execute arbitrary code with the victim's privileges.
Status	Published
Exploitability	0.5
Weighted Severity	8.0
Risk	4.0
Affected and Fixed Packages	Package Details

Weaknesses (3)

CWE-352	Cross-Site Request Forgery (CSRF)
CWE-937	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities

System	Score	Found at
epss	0.00876	https://api.first.org/data/v1/epss?cve=CVE-2024-7806
epss	0.00876	https://api.first.org/data/v1/epss?cve=CVE-2024-7806
epss	0.00876	https://api.first.org/data/v1/epss?cve=CVE-2024-7806
epss	0.00876	https://api.first.org/data/v1/epss?cve=CVE-2024-7806
cvssv3.1_qr	HIGH	https://github.com/advisories/GHSA-85jc-8h5p-8vw8
cvssv3.1	8.0	https://github.com/open-webui/open-webui
generic_textual	HIGH	https://github.com/open-webui/open-webui
cvssv3.1	8.0	https://github.com/open-webui/open-webui/blob/1d20c27553f019477f01d7233ebe40b11d31e479/backend/main.py#L892-L920
generic_textual	HIGH	https://github.com/open-webui/open-webui/blob/1d20c27553f019477f01d7233ebe40b11d31e479/backend/main.py#L892-L920
cvssv3.1	8.0	https://github.com/open-webui/open-webui/commit/7e253df17593bc12dc5cc89d28703675f05b0158
generic_textual	HIGH	https://github.com/open-webui/open-webui/commit/7e253df17593bc12dc5cc89d28703675f05b0158
cvssv3.1	8.0	https://github.com/open-webui/open-webui/pull/6054
generic_textual	HIGH	https://github.com/open-webui/open-webui/pull/6054
cvssv3	8	https://huntr.com/bounties/9350a68d-5f33-4b3d-988b-81e778160ab8
cvssv3.1	8.0	https://huntr.com/bounties/9350a68d-5f33-4b3d-988b-81e778160ab8
generic_textual	HIGH	https://huntr.com/bounties/9350a68d-5f33-4b3d-988b-81e778160ab8
ssvc	Track*	https://huntr.com/bounties/9350a68d-5f33-4b3d-988b-81e778160ab8
cvssv3.1	8.0	https://nvd.nist.gov/vuln/detail/CVE-2024-7806
generic_textual	HIGH	https://nvd.nist.gov/vuln/detail/CVE-2024-7806

Reference id	Reference type	URL
		https://api.first.org/data/v1/epss?cve=CVE-2024-7806
		https://github.com/open-webui/open-webui
		https://github.com/open-webui/open-webui/blob/1d20c27553f019477f01d7233ebe40b11d31e479/backend/main.py#L892-L920
		https://github.com/open-webui/open-webui/commit/7e253df17593bc12dc5cc89d28703675f05b0158
		https://github.com/open-webui/open-webui/pull/6054
		https://nvd.nist.gov/vuln/detail/CVE-2024-7806
9350a68d-5f33-4b3d-988b-81e778160ab8		https://huntr.com/bounties/9350a68d-5f33-4b3d-988b-81e778160ab8
GHSA-85jc-8h5p-8vw8		https://github.com/advisories/GHSA-85jc-8h5p-8vw8

No exploits are available.

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H Found at https://github.com/open-webui/open-webui

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H Found at https://github.com/open-webui/open-webui/blob/1d20c27553f019477f01d7233ebe40b11d31e479/backend/main.py#L892-L920

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H Found at https://github.com/open-webui/open-webui/commit/7e253df17593bc12dc5cc89d28703675f05b0158

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H Found at https://github.com/open-webui/open-webui/pull/6054

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H Found at https://huntr.com/bounties/9350a68d-5f33-4b3d-988b-81e778160ab8

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H Found at https://huntr.com/bounties/9350a68d-5f33-4b3d-988b-81e778160ab8

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2025-03-20T15:21:31Z/ Found at https://huntr.com/bounties/9350a68d-5f33-4b3d-988b-81e778160ab8

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2024-7806

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Exploit Prediction Scoring System (EPSS)

Percentile	0.75731
EPSS Score	0.00876
Published At	June 11, 2026, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2026-06-10T18:36:32.200513+00:00	Vulnrichment	Import	https://github.com/cisagov/vulnrichment/blob/develop/2024/7xxx/CVE-2024-7806.json	38.6.0