Remote Code Execution by Non-Admin Users via CSRF in open-webui/open-webui
Description
A vulnerability in open-webui/open-webui versions <= 0.3.8 allows remote code execution by non-admin users via Cross-Site Request Forgery (CSRF). The application uses cookies with the SameSite attribute set to lax for authentication and lacks CSRF tokens. This allows an attacker to craft a malicious HTML that, when accessed by a victim, can modify the Python code of an existing pipeline and execute arbitrary code with the victim's privileges.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Open WebUI versions <= 0.3.8 allow non-admin remote code execution via CSRF due to lax SameSite cookies and missing CSRF tokens.
Vulnerability
Overview
Open WebUI versions up to 0.3.8 contain a Cross-Site Request Forgery (CSRF) vulnerability that allows non-admin users to achieve remote code execution. The application uses cookies with the SameSite attribute set to 'lax' for authentication and does not implement CSRF tokens [2]. This design flaw enables an attacker to craft malicious HTML that, when visited by an authenticated victim, can modify the Python code of an existing pipeline and execute arbitrary code with the victim's privileges [2].
Attack
Vector and Prerequisites
An attacker must trick an authenticated non-admin user into visiting a malicious page. Because the authentication cookie has a SameSite setting of 'lax', it is still sent with top-level cross-site GET requests, allowing the forged request to be processed by the application [2]. The lack of CSRF tokens means that the application cannot distinguish between a legitimate user action and a forged one. This attack requires no additional authentication or privileges beyond those of the victim user [2].
Impact
A successful CSRF attack allows the attacker to modify an existing pipeline's Python code and subsequently execute arbitrary code on the server [2]. This results in full remote code execution with the privileges of the victim user, potentially leading to data exfiltration, service disruption, or further compromise of the Open WebUI environment.
Mitigation
Status
A pull request (PR #6054) has been submitted to address the vulnerability by adding 'SameSite' and 'Secure' attributes to authentication cookies, which helps mitigate CSRF attacks [3]. The fix updates cookie settings in several authentication-related functions [3]. Users are advised to update to a patched version of Open WebUI once it becomes available, or apply the changes from the pull request as a workaround.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
open-webuiPyPI | < 0.3.33 | 0.3.33 |
Affected products
3- Range: <=0.3.8
- open-webui/open-webui/open-webuiv5Range: unspecified
Patches
17e253df17593Merge pull request #6054 from jeeteshchel/bugfix/secure-cookie
2 files changed · +10 −0
backend/open_webui/apps/webui/routers/auths.py+8 −0 modified@@ -18,6 +18,8 @@ from open_webui.env import ( WEBUI_AUTH_TRUSTED_EMAIL_HEADER, WEBUI_AUTH_TRUSTED_NAME_HEADER, + WEBUI_SESSION_COOKIE_SAME_SITE, + WEBUI_SESSION_COOKIE_SECURE, ) from fastapi import APIRouter, Depends, HTTPException, Request, status from fastapi.responses import Response @@ -53,6 +55,8 @@ async def get_session_user( key="token", value=token, httponly=True, # Ensures the cookie is not accessible via JavaScript + samesite=WEBUI_SESSION_COOKIE_SAME_SITE, + secure=WEBUI_SESSION_COOKIE_SECURE, ) return { @@ -166,6 +170,8 @@ async def signin(request: Request, response: Response, form_data: SigninForm): key="token", value=token, httponly=True, # Ensures the cookie is not accessible via JavaScript + samesite=WEBUI_SESSION_COOKIE_SAME_SITE, + secure=WEBUI_SESSION_COOKIE_SECURE, ) return { @@ -236,6 +242,8 @@ async def signup(request: Request, response: Response, form_data: SignupForm): key="token", value=token, httponly=True, # Ensures the cookie is not accessible via JavaScript + samesite=WEBUI_SESSION_COOKIE_SAME_SITE, + secure=WEBUI_SESSION_COOKIE_SECURE, ) if request.app.state.config.WEBHOOK_URL:
backend/open_webui/main.py+2 −0 modified@@ -2385,6 +2385,8 @@ async def oauth_callback(provider: str, request: Request, response: Response): key="token", value=jwt_token, httponly=True, # Ensures the cookie is not accessible via JavaScript + samesite=WEBUI_SESSION_COOKIE_SAME_SITE, + secure=WEBUI_SESSION_COOKIE_SECURE, ) # Redirect back to the frontend with the JWT token
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-85jc-8h5p-8vw8ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-7806ghsaADVISORY
- github.com/open-webui/open-webui/blob/1d20c27553f019477f01d7233ebe40b11d31e479/backend/main.pyghsaWEB
- github.com/open-webui/open-webui/commit/7e253df17593bc12dc5cc89d28703675f05b0158ghsaWEB
- github.com/open-webui/open-webui/pull/6054ghsaWEB
- huntr.com/bounties/9350a68d-5f33-4b3d-988b-81e778160ab8ghsaWEB
News mentions
0No linked articles in our index yet.