VulnerableCode Vulnerability Details

Staging Environment: Content and features may be unstable or change without notice.

Search for vulnerabilities

Vulnerability details: VCID-u89c-p28n-c3hv

Essentials
Severities (10)
References (5)
Severity details (8)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-u89c-p28n-c3hv
Aliases	CVE-2024-7053 GHSA-43g4-487m-5q6m
Summary	A vulnerability in open-webui/open-webui version 0.3.8 allows an attacker with a user-level account to perform a session fixation attack. The session cookie for all users is set with the default `SameSite=Lax` and does not have the `Secure` flag enabled, allowing the session cookie to be sent over HTTP to a cross-origin domain. An attacker can exploit this by embedding a malicious markdown image in a chat, which, when viewed by an administrator, sends the admin's session cookie to the attacker's server. This can lead to a stealthy administrator account takeover, potentially resulting in remote code execution (RCE) due to the elevated privileges of administrator accounts.
Status	Published
Exploitability	0.5
Weighted Severity	8.0
Risk	4.0
Affected and Fixed Packages	Package Details

Weaknesses (3)

CWE-79	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE-937	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities

System	Score	Found at
epss	0.00233	https://api.first.org/data/v1/epss?cve=CVE-2024-7053
epss	0.00233	https://api.first.org/data/v1/epss?cve=CVE-2024-7053
cvssv3.1	7.6	https://github.com/open-webui/open-webui
generic_textual	HIGH	https://github.com/open-webui/open-webui
cvssv3	7.6	https://huntr.com/bounties/947f8191-0abf-4adf-b7c4-d4c19683aba2
cvssv3.1	7.6	https://huntr.com/bounties/947f8191-0abf-4adf-b7c4-d4c19683aba2
generic_textual	HIGH	https://huntr.com/bounties/947f8191-0abf-4adf-b7c4-d4c19683aba2
ssvc	Track	https://huntr.com/bounties/947f8191-0abf-4adf-b7c4-d4c19683aba2
cvssv3.1	7.6	https://nvd.nist.gov/vuln/detail/CVE-2024-7053
generic_textual	HIGH	https://nvd.nist.gov/vuln/detail/CVE-2024-7053

Reference id	Reference type	URL
		https://api.first.org/data/v1/epss?cve=CVE-2024-7053
		https://github.com/open-webui/open-webui
		https://nvd.nist.gov/vuln/detail/CVE-2024-7053
947f8191-0abf-4adf-b7c4-d4c19683aba2		https://huntr.com/bounties/947f8191-0abf-4adf-b7c4-d4c19683aba2
GHSA-43g4-487m-5q6m		https://github.com/advisories/GHSA-43g4-487m-5q6m

No exploits are available.

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N Found at https://github.com/open-webui/open-webui

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N Found at https://huntr.com/bounties/947f8191-0abf-4adf-b7c4-d4c19683aba2

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N Found at https://huntr.com/bounties/947f8191-0abf-4adf-b7c4-d4c19683aba2

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-03-20T13:16:27Z/ Found at https://huntr.com/bounties/947f8191-0abf-4adf-b7c4-d4c19683aba2

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2024-7053

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Exploit Prediction Scoring System (EPSS)

Percentile	0.46305
EPSS Score	0.00233
Published At	June 11, 2026, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2026-06-10T18:36:52.729883+00:00	Vulnrichment	Import	https://github.com/cisagov/vulnrichment/blob/develop/2024/7xxx/CVE-2024-7053.json	38.6.0