Open WebUI Vulnerable to Cross-Site Request Forgery (CSRF)

The primary impact of CVE-2024-7035 is the potential for unauthorized data modification and deletion. An attacker could craft a malicious website or link that, when visited by an authenticated user of open-webui, would trigger actions such as resetting the database (/rag/api/v1/reset/db), deleting memories (/api/v1/memories/reset), or clearing uploads (/rag/api/v1/reset/uploads). This could lead to data loss, service disruption, and compromise of the application's integrity. The blast radius extends to any user with access to these sensitive functions within open-webui, and the ease of exploitation via simple website visits makes it a significant risk. While not directly leading to remote code execution, the data manipulation capabilities can be leveraged for further attacks.

1. आरक्षित2024-07-23
2. प्रकाशित2025-03-20
3. संशोधित2025-03-21
4. EPSS अद्यतन2026-04-02

The recommended mitigation for CVE-2024-7035 is to upgrade open-webui to a version that addresses the vulnerability. Unfortunately, a fixed version is not currently specified. As a workaround, implement strict input validation and output encoding on all sensitive endpoints, specifically /rag/api/v1/reset, /rag/api/v1/reset/db, /api/v1/memories/reset, and /rag/api/v1/reset/uploads. Consider implementing CSRF tokens for these endpoints to prevent unauthorized requests. Web Application Firewalls (WAFs) can be configured to detect and block suspicious GET requests targeting these endpoints. Monitor application logs for unusual activity related to these endpoints. After applying mitigations, verify functionality by attempting to trigger the sensitive actions through a controlled environment to ensure protection.