{"id":"CVE-2024-30256","summary":"Open WebUI vulnerable to server-side request forgery in utils.py","details":"Open WebUI is a user-friendly WebUI for LLMs. Open-webui is vulnerable to authenticated blind server-side request forgery. This vulnerability is fixed in 0.1.117.\n","aliases":["GHSA-39wr-r5vm-3jxj"],"modified":"2026-03-14T12:28:52.712754Z","published":"2024-04-16T14:24:21.747Z","database_specific":{"cna_assigner":"GitHub_M","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/30xxx/CVE-2024-30256.json","cwe_ids":["CWE-918"]},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/30xxx/CVE-2024-30256.json"},{"type":"ADVISORY","url":"https://github.com/open-webui/open-webui/security/advisories/GHSA-39wr-r5vm-3jxj"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-30256"},{"type":"ADVISORY","url":"https://securitylab.github.com/advisories/GHSL-2024-033_open-webui"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/open-webui/open-webui","events":[{"introduced":"0"},{"fixed":"46774aa5cdbf4e894776978be60311210a6d0b32"}]}],"versions":["v0.1.102","v0.1.103","v0.1.104","v0.1.105","v0.1.106","v0.1.107","v0.1.108","v0.1.109","v0.1.110","v0.1.111","v0.1.112","v0.1.113","v0.1.114","v0.1.115","v0.1.116"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-30256.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}]}