Open-WebUI Cross-Site Scripting Vulnerability Allowing Privilege Escalation and Data Theft

Vulnerability

A cross-site scripting (XSS) vulnerability has been identified in Open-WebUI versions through 0.3.8. The issue arises in the tooltip HTML construction function, allowing attackers to execute actions with the victim's privileges. This could include stealing chat history, deleting chats, and escalating their account to admin status if the victim is an admin.

Impact

Exploitation of this vulnerability allows for cross-site scripting, with potential consequences including unauthorized actions taken on behalf of the victim, such as accessing or deleting chat history and manipulating account privileges.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

5.0

exploitability

5.8

remediation

0.0

relevance

0.0

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

5.0

exploitability

5.8

remediation

0.0

relevance

0.0

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Open-WebUI Cross-Site Scripting Vulnerability Allowing Privilege Escalation and Data Theft

Vulnerability

Impact

Affected Products

open-webui/open-webui

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating