Skip to main content

Open WebUI CVE-2026-45675

| EUVDEUVD-2026-30607 HIGH
Improper Privilege Management (CWE-269)
2026-05-14 https://github.com/open-webui/open-webui GHSA-h3ww-q6xx-w7x3
8.1
CVSS 3.1 · Vendor: https://github.com/open-webui/open-webui
Share

Severity by source

Vendor (https://github.com/open-webui/open-webui) PRIMARY
8.1 HIGH
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from Vendor (https://github.com/open-webui/open-webui) · only source for this CVE.

CVSS VectorVendor: https://github.com/open-webui/open-webui

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Source Code Evidence Fetched
May 14, 2026 - 22:03 vuln.today
Analysis Generated
May 14, 2026 - 22:03 vuln.today
CVE Published
May 14, 2026 - 20:28 nvd
HIGH 8.1

DescriptionCVE.org

Summary

The LDAP and OAuth authentication flows use a TOCTOU (Time-of-Check-Time-of-Use) pattern for first-user admin role assignment. The regular signup handler (signup_handler in auths.py, line 663) was explicitly patched to prevent this race with the comment *"Insert with default role first to avoid TOCTOU race"*, but the LDAP and OAuth code paths were never updated with the same fix.

Vulnerable Code

LDAP (auths.py, lines 479-490)

python
# Line 482 - CHECK: is the user table empty?
role = 'admin' if not Users.has_users(db=db) else request.app.state.config.DEFAULT_USER_ROLE
# Lines 484-490 - USE: create user with the role determined above
user = Auths.insert_new_auth(
    email=email,
    password=str(uuid.uuid4()),
    name=cn,
    role=role,
# <-- role was determined BEFORE insert, race window exists
    db=db,
)

OAuth (oauth.py, lines 1103-1112, 1566-1574)

python
# Line 1104 - CHECK: count users
def get_user_role(self, user, user_data):
    user_count = Users.get_num_users()
    if not user and user_count == 0:
        return 'admin'
# Line 1112
# Lines 1566-1574 - USE: create user with pre-determined role
user = Auths.insert_new_auth(
    ...
    role=self.get_user_role(None, user_data),
# Line 1571
    ...
)

Both paths determine the role BEFORE inserting the user, creating a race window where multiple concurrent requests on a fresh instance can all observe an empty database and all receive the admin role.

Comparison with Patched Signup

The signup_handler (auths.py, line 663) was explicitly fixed:

python
# Insert with default role first to avoid TOCTOU race
user = Auths.insert_new_auth(..., role=DEFAULT_USER_ROLE, ...)
# Then check if this is the only user and upgrade
if Users.get_num_users() == 1:
    Users.update_user_role_by_id(user.id, 'admin')

The LDAP and OAuth paths did NOT receive this fix.

Exploitation

  1. Deploy Open WebUI with LDAP or OAuth enabled on a fresh instance (no existing users)
  2. Send multiple concurrent authentication requests from different users
  3. Multiple requests pass the has_users() / get_num_users() == 0 check simultaneously
  4. All concurrent users become administrators

DATABASE_ENABLE_SESSION_SHARING defaults to False (env.py:387), so each call uses its own database session, widening the race window.

Impact

Any LDAP/OAuth user who times their first login concurrently with the legitimate first admin can escalate to full admin privileges, gaining access to all user data, system configuration, API keys, and connected LLM backends.

Suggested Fix

Apply the same insert-then-check pattern used in signup_handler: insert the user with DEFAULT_USER_ROLE first, then atomically check if this is the only user and upgrade to admin only if so.

Resolution

Fixed in PR #23626 (commit 96a0b3239), first released in v0.9.0 (Apr 2026). Both LDAP (routers/auths.py) and OAuth (utils/oauth.py) registration paths now use the same insert-first-check-after pattern that signup_handler already had:

  1. Insert the new user with DEFAULT_USER_ROLE unconditionally - no pre-insert role decision based on user count.
  2. After the insert commits, atomically call Users.get_num_users() == 1 to check whether this is the sole user.
  3. Only the sole user gets promoted to admin via Users.update_user_role_by_id.

OAuthManager.get_user_role was also updated to return DEFAULT_USER_ROLE (not admin) for first-user bootstrap; admin promotion is deferred to the post-insert check above. With this ordering, two concurrent first-user registrations that both observe an empty table can both insert, but only one will see get_num_users() 1 afterward - the other will see 2 and not be promoted.

Users on >= 0.9.0 are not affected.

AnalysisAI

Multiple concurrent LDAP or OAuth first-login requests on a freshly deployed Open WebUI instance can all receive administrator privileges through a TOCTOU race condition in role assignment logic. The vulnerability affects deployments using LDAP or OAuth authentication on instances with no existing users. While the regular signup handler was explicitly patched for this race condition in earlier code ('Insert with default role first to avoid TOCTOU race'), the LDAP and OAuth authentication paths were never updated with the same fix. Vendor-released patch available in version 0.9.0 (April 2026). No active exploitation confirmed (not in CISA KEV), though publicly available exploit code exists per GitHub advisory GHSA-h3ww-q6xx-w7x3. CVSS 8.1 (High) reflects network attack vector but requires high attack complexity (precise timing of concurrent requests during narrow first-deployment window).

Technical ContextAI

The vulnerability stems from a classic Time-of-Check-Time-of-Use (TOCTOU) race condition (CWE-269: Improper Privilege Management) in the Open WebUI authentication subsystem, a Python-based web application for LLM interaction. During first-user initialization, the application follows a check-then-act pattern: LDAP code (auths.py:482) calls Users.has_users() to determine if admin role should be assigned, then inserts the user with that predetermined role several lines later (lines 484-490). The OAuth path (oauth.py:1103-1112, 1566-1574) exhibits identical logic via OAuthManager.get_user_role() checking get_num_users() == 0 before user creation. The race window exists between the empty-database check and the actual INSERT operation. DATABASE_ENABLE_SESSION_SHARING defaults to False (env.py:387), meaning each authentication request uses an isolated database session with no shared transaction context, significantly widening the exploitable race window. The affected package pip/open-webui (CPE pkg:pip/open-webui) uses this flawed pattern in two critical authentication flows while the standard signup_handler was previously hardened against the same race.

RemediationAI

Upgrade to Open WebUI version 0.9.0 or later, released April 2026, which implements the atomic insert-then-check pattern across all authentication paths. The fix (GitHub PR #23626, commit 96a0b3239b1aadb23fc359bf10849c9ba12fd6ec at https://github.com/open-webui/open-webui/commit/96a0b3239b1aadb23fc359bf10849c9ba12fd6ec) modifies both LDAP (routers/auths.py) and OAuth (utils/oauth.py) registration handlers to insert new users with DEFAULT_USER_ROLE unconditionally, then atomically check Users.get_num_users() == 1 after the database commit to determine admin promotion, matching the pattern already used in signup_handler. For organizations unable to upgrade immediately, implement procedural controls: perform initial Open WebUI deployment in an isolated network segment, manually create the first admin account via the standard signup interface before enabling LDAP/OAuth authentication, then verify exactly one admin account exists before exposing the instance to broader user population. This workaround eliminates the race window by ensuring the database is never empty when LDAP/OAuth authentication begins. Note that disabling LDAP/OAuth and using only standard signup is NOT a viable mitigation if these authentication methods are required by organizational SSO policies. The procedural control adds deployment complexity and requires careful sequencing; version upgrade to 0.9.0 is strongly preferred. Advisory and patch details at https://github.com/open-webui/open-webui/security/advisories/GHSA-h3ww-q6xx-w7x3 and release notes at https://github.com/open-webui/open-webui/releases/tag/v0.9.0.

More in Python

View all
CVE-2025-24016 CRITICAL POC
9.9 Feb 10

Wazuh SIEM platform versions 4.4.0 through 4.9.0 contain an unsafe deserialization vulnerability in the DistributedAPI t

CVE-2025-27520 CRITICAL POC
9.8 Apr 04

BentoML version 1.4.2 and earlier contains an unauthenticated remote code execution vulnerability through insecure deser

CVE-2025-2945 CRITICAL POC
9.9 Apr 03

pgAdmin 4 contains critical remote code execution vulnerabilities in the Query Tool download and Cloud Deployment endpoi

CVE-2013-5093 MEDIUM POC
6.8 Sep 27

The renderLocalView function in render/views.py in graphite-web in Graphite 0.9.5 through 0.9.10 uses the pickle Python

CVE-2025-32375 CRITICAL POC
9.8 Apr 09

BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Rated critica

CVE-2014-0224 HIGH POC
7.4 Jun 05

OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCiph

CVE-2024-21644 HIGH POC
7.5 Jan 08

pyLoad download manager version prior to 0.5.0b3.dev77 exposes the Flask SECRET_KEY through an unauthenticated endpoint.

CVE-2017-9462 HIGH POC
8.8 Jun 06

In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and conse

CVE-2026-39987 CRITICAL POC
9.3 Apr 08

Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/

CVE-2024-21645 MEDIUM POC
5.3 Jan 08

pyLoad is the free and open-source Download Manager written in pure Python. Rated medium severity (CVSS 5.3), this vulne

CVE-2026-33017 CRITICAL POC
9.3 Mar 17

Langflow (a visual LLM pipeline builder) contains a critical unauthenticated code execution vulnerability (CVE-2026-3301

CVE-2026-55255 HIGH POC
8.4 Jun 19

Cross-user flow execution in Langflow (< 1.9.1) lets any authenticated API-key holder run another user's flow by passing

Share

CVE-2026-45675 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy