We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.

Please see our statement on Data Privacy.

Crisp.chat (Helpdesk and Chat)

Ok

THREATINT
PUBLISHED

CVE-2024-7035

Cross-Site Request Forgery (CSRF) in open-webui/open-webui



Description

In version v0.3.8 of open-webui/open-webui, sensitive actions such as deleting and resetting are performed using the GET method. This vulnerability allows an attacker to perform Cross-Site Request Forgery (CSRF) attacks, where an unaware user can unintentionally perform sensitive actions by simply visiting a malicious site or through top-level navigation. The affected endpoints include /rag/api/v1/reset, /rag/api/v1/reset/db, /api/v1/memories/reset, and /rag/api/v1/reset/uploads. This impacts both the availability and integrity of the application.

Reserved 2024-07-23 | Published 2025-03-20 | Updated 2025-03-20 | Assigner @huntr_ai


MEDIUM: 6.9CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:N/I:H/A:L

Problem types

CWE-352 Cross-Site Request Forgery (CSRF)

Product status

Any version
affected

References

huntr.com/bounties/2ac81740-410b-467a-9244-75d82a6f9e11

cve.org (CVE-2024-7035)

nvd.nist.gov (CVE-2024-7035)

Download JSON

Share this page
https://cve.threatint.eu/CVE/CVE-2024-7035

Support options

Helpdesk Chat, Email, Knowledgebase
© Copyright 2025 THREATINT
Made in Cyprus with +
 System status
Find us on
Data Privacy
Terms of Use
Logo BSI Allianz für Cyber-Sicherheit
Error loading Crisp.chat. Please check your web content filter and browser plugins.