cvedb.io
CVE-2024-7037
HIGH · CVSS 7.2
EPSS exploitation probability: 0%
Published 2024-10-09T20:15:09.477 · Last modified 2026-06-17T08:19:14.563

Summary

In version v0.3.8 of open-webui/open-webui, the endpoint /api/pipelines/upload is vulnerable to arbitrary file write and delete due to unsanitized file.filename concatenation with CACHE_DIR. This vulnerability allows attackers to overwrite and delete system files, potentially leading to remote code execution.

Affected products

openwebui — open_webui

Does this affect you?

Add your gear to cvedb and we'll alert you only when openwebui ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.