Moderate severityNVD Advisory· Published Mar 20, 2025· Updated Mar 20, 2025
Cross-Site Request Forgery (CSRF) in open-webui/open-webui
CVE-2024-7035
Description
In version v0.3.8 of open-webui/open-webui, sensitive actions such as deleting and resetting are performed using the GET method. This vulnerability allows an attacker to perform Cross-Site Request Forgery (CSRF) attacks, where an unaware user can unintentionally perform sensitive actions by simply visiting a malicious site or through top-level navigation. The affected endpoints include /rag/api/v1/reset, /rag/api/v1/reset/db, /api/v1/memories/reset, and /rag/api/v1/reset/uploads. This impacts both the availability and integrity of the application.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
open-webuiPyPI | <= 0.3.8 | — |
Affected products
2- Range: unspecified
Patches
Vulnerability mechanics
References
3News mentions
0No linked articles in our index yet.