CVE-2024-8017: Cross-site Scripting (XSS) in open-webui/open-webui

Published Mar 20, 2025
·
Updated

An XSS vulnerability exists in open-webui/open-webui versions <= 0.3.8, specifically in the function that constructs the HTML for tooltips. This vulnerability allows attackers to perform operations with the victim's privileges, such as stealing chat history, deleting chats, and escalating their own account to an admin if the victim is an admin.

Affected Software

2 affected components
open-webui open-webui<=0.3.8
openwebui Open WebUI<=0.3.8

Event History

Mar 20, 2025
CVE Published
via MITRE·10:11 AM
Data Sourced
via MITRE·10:11 AM
DescriptionSeverityWeakness
Data Sourced
via NVD·10:15 AM
DescriptionSeverityWeaknessAffected Software
Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

Frequently Asked Questions

1

What is the severity of CVE-2024-8017?

CVE-2024-8017 is classified as a medium severity vulnerability due to its potential to allow an attacker to execute actions with the victim's privileges.

2

How do I fix CVE-2024-8017?

To fix CVE-2024-8017, upgrade open-webui to version 0.3.9 or later where the vulnerability has been addressed.

3

What types of attacks can CVE-2024-8017 enable?

CVE-2024-8017 can enable attacks such as stealing chat history and deleting chats by exploiting the XSS vulnerability.

4

Which versions of open-webui are affected by CVE-2024-8017?

CVE-2024-8017 affects open-webui versions 0.3.8 and earlier.

5

What is the root cause of CVE-2024-8017?

The root cause of CVE-2024-8017 is an inadequate sanitization process in the tooltip HTML construction function, leading to XSS vulnerabilities.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2026 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203