CVE-2024-30256

Open WebUI vulnerable to server-side request forgery in utils.py

Severity Score

6.4

*CVSS v3.1

Exploit Likelihood

< 1%

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track

*SSVC

Descriptions

Open WebUI is a user-friendly WebUI for LLMs. Open-webui is vulnerable to authenticated blind server-side request forgery. This vulnerability is fixed in 0.1.117.

Open WebUI es una WebUI fácil de usar para LLM. Open-webui es vulnerable a blind server-side request forgery. Esta vulnerabilidad se solucionó en 0.1.117.

*Credits: N/A

CVSS Scores

GitHubv3.1 6.4

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:Track

Exploitation

None

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2024-03-26 CVE Reserved
2024-04-16 CVE Published
2024-08-02 CVE Updated
2025-03-30 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-918: Server-Side Request Forgery (SSRF)

CAPEC

References (2)

URL	Tag	Source
https://github.com/open-webui/open-webui/security/advisories/GH...	X_refsource_confirm
https://securitylab.github.com/advisories/GHSL-2024-033_open-webui	X_refsource_misc

1 - 2 of 2

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC

Affected Vendors, Products, and Versions (1)

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Open-webui Search vendor "Open-webui"		Open-webui Search vendor "Open-webui" for product "Open-webui"				< 0.1.117 Search vendor "Open-webui" for product "Open-webui" and version " < 0.1.117"		en		Affected

1 - 1 of 1