Miggo Logo

CVE-2024-7806: Open WebUI Cross-Site Request Forgery (CSRF) Vulnerability

8

CVSS Score
3.0

Basic Information

EPSS Score
0.47861%
Published
3/20/2025
Updated
3/21/2025
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
open-webuipip

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from improper cookie security attributes in authentication flows. The functions listed all handled session cookie creation/modification and were missing critical 'SameSite=strict' and 'Secure' attributes before the patch (CVE-2024-7806). This allowed cross-origin request forgery as the lax SameSite policy permits some cross-site requests, and missing Secure flag enables transmission over HTTP. The GitHub commit 7e253df explicitly adds these security attributes to these specific authentication functions, confirming they were the vulnerable points.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* vuln*r**ility in op*n-w**ui/op*n-w**ui v*rsions <= *.*.* *llows r*mot* *o** *x**ution *y non-**min us*rs vi* *ross-Sit* R*qu*st *or**ry (*SR*). T** *ppli**tion us*s *ooki*s wit* t** S*m*Sit* *ttri*ut* s*t to l*x *or *ut**nti**tion *n* l**ks *SR* to

Reasoning

T** vuln*r**ility st*ms *rom improp*r *ooki* s**urity *ttri*ut*s in *ut**nti**tion *lows. T** *un*tions list** *ll **n*l** s*ssion *ooki* *r**tion/mo*i*i**tion *n* w*r* missin* *riti**l 'S*m*Sit*=stri*t' *n* 'S**ur*' *ttri*ut*s ***or* t** p*t** (*V*-