CVE-2024-8017 Overview
CVE-2024-8017 is a Cross-Site Scripting (XSS) vulnerability in open-webui/open-webui versions <= 0.3.8. The flaw resides in the function that constructs the HTML for tooltips, allowing untrusted input to be rendered as executable script in the victim's browser. Attackers can execute actions with the victim's privileges, including stealing chat history, deleting conversations, and escalating attacker-controlled accounts to administrator when an admin is targeted. The weakness is tracked under CWE-79. Open WebUI is a self-hosted interface frequently deployed in front of local large language model (LLM) backends, expanding the impact to AI workflow operators.
Critical Impact
An authenticated attacker can hijack admin sessions, exfiltrate chat data, and elevate privileges to administrator within the Open WebUI deployment.
Affected Products
- open-webui/open-webui versions <= 0.3.8
- Self-hosted Open WebUI deployments exposed to multi-user access
- Open WebUI instances integrated with local LLM backends and chat history storage
Discovery Timeline
- 2025-03-20 - CVE-2024-8017 published to NVD
- 2025-07-21 - Last updated in NVD database
Technical Details for CVE-2024-8017
Vulnerability Analysis
The vulnerability is a stored or reflected XSS issue rooted in the tooltip HTML construction logic of Open WebUI. The application concatenates user-controlled content into an HTML string used to render tooltip markup. Because the input is not sanitized or encoded before insertion, an attacker can embed script payloads that the browser executes in the context of the victim's session.
The issue maps to CWE-79: Improper Neutralization of Input During Web Page Generation. Exploitation requires the victim to view content that triggers the tooltip rendering path, which is consistent with the User Interaction requirement reflected in the CVSS vector. The scope changes because script executing in one user's browser session can interact with administrative APIs that affect other accounts and shared resources.
Root Cause
The root cause is unsafe HTML assembly in the tooltip rendering function. Untrusted strings are concatenated directly into markup rather than being escaped or assigned through safe DOM APIs such as textContent. Any field that flows into the tooltip becomes an injection sink, including chat content, model metadata, or other attacker-controllable values.
Attack Vector
An authenticated attacker with low privileges plants a payload in a field rendered through the vulnerable tooltip path. When another user, including an administrator, interacts with the affected interface element, the payload executes in their browser. The script can then issue authenticated requests to Open WebUI APIs to read chat history, delete chats, modify settings, or promote the attacker's account to administrator. No verified public proof-of-concept code is published in the references for this CVE. See the Huntr Bounty Report for technical context.
Detection Methods for CVE-2024-8017
Indicators of Compromise
- Unexpected administrator role assignments in Open WebUI user records, especially for recently created low-privilege accounts.
- Tooltip-related fields or chat objects containing <script> tags, on* event handlers, or javascript: URIs.
- Bulk deletions of chat history or sudden disappearance of user conversations without corresponding user actions.
- Outbound HTTP requests from browsers to unfamiliar domains immediately after rendering Open WebUI pages.
Detection Strategies
- Inspect the Open WebUI database for stored fields containing HTML or script syntax that should not appear in normal chat or metadata content.
- Review web server access logs for authenticated API calls to privilege-changing endpoints originating from non-admin user sessions.
- Apply Content Security Policy (CSP) reporting to surface inline script execution attempts in the Open WebUI frontend.
Monitoring Recommendations
- Alert on changes to user role attributes and admin group membership in Open WebUI.
- Monitor for anomalous patterns of chat deletion or export API calls per user session.
- Track Open WebUI version strings across deployments to identify hosts still running <= 0.3.8.
How to Mitigate CVE-2024-8017
Immediate Actions Required
- Upgrade Open WebUI to a release later than 0.3.8 that addresses the tooltip XSS sink.
- Audit existing user accounts and revoke administrator privileges granted during the exposure window.
- Rotate API keys, session tokens, and credentials used within affected Open WebUI instances.
- Restrict network access to Open WebUI so only trusted users can authenticate to the interface.
Patch Information
Upgrade open-webui/open-webui to a version higher than 0.3.8. Consult the Huntr Bounty Report for the disclosure details and refer to the project's release notes for the fix commit that introduces proper output encoding in the tooltip rendering function.
Workarounds
- Place Open WebUI behind a reverse proxy that enforces a strict Content Security Policy disallowing inline scripts.
- Limit Open WebUI access to single-user deployments until upgrade is complete, reducing the cross-user exploitation surface.
- Review and purge chat content and metadata that may contain stored payloads before re-enabling multi-user access.
# Configuration example: upgrade Open WebUI container to a patched release
docker pull ghcr.io/open-webui/open-webui:latest
docker stop open-webui && docker rm open-webui
docker run -d --name open-webui \
-p 3000:8080 \
-v open-webui:/app/backend/data \
--restart always \
ghcr.io/open-webui/open-webui:latest
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
