Skip to main content

Open WebUI EUVDEUVD-2026-30604

| CVE-2026-44551 CRITICAL
Improper Authentication (CWE-287)
2026-05-08 https://github.com/open-webui/open-webui GHSA-2r4p-jpmg-48f4
9.1
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
9.1 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

3
Source Code Evidence Fetched
May 08, 2026 - 20:31 vuln.today
Analysis Generated
May 08, 2026 - 20:31 vuln.today
CVE Published
May 08, 2026 - 19:38 nvd
CRITICAL 9.1

DescriptionGitHub Advisory

LDAP Empty Password Authentication Bypass

Affected Component

LDAP authentication endpoint:

  • backend/open_webui/routers/auths.py (lines 468-477, user bind with empty password)
  • backend/open_webui/models/auths.py (lines 58-60, LdapForm model)

Affected Versions

Current main branch (commit 6fdd19bf1) and likely all versions with LDAP authentication support.

Description

The LDAP authentication endpoint does not validate that the submitted password is non-empty before performing a Simple Bind against the LDAP server. Per RFC 4513 Section 5.1.2, a Simple Bind with a valid DN and an empty password constitutes an "unauthenticated simple authentication" - many LDAP servers (including OpenLDAP in default configuration and some Active Directory setups) return success (resultCode 0) for this operation.

The LdapForm Pydantic model accepts password: str with no minimum length constraint, so an empty string passes validation. The subsequent Connection.bind() call succeeds on vulnerable LDAP servers, and the application issues a full session token for the target user.

python
# models/auths.py:58-60 - no min_length on password
class LdapForm(BaseModel):
    user: str
    password: str
# auths.py:469-477 - empty password reaches LDAP bind
connection_user = Connection(
    server,
    user_dn,
    form_data.password,
# can be ""
    auto_bind='NONE',
    authentication='SIMPLE',
)
if not await asyncio.to_thread(connection_user.bind):
    raise HTTPException(400, 'Authentication failed.')
# If bind succeeds (which it does with empty password on many servers),
# execution continues and a full session token is issued

CVSS 3.1 Breakdown

MetricValueRationale
Attack VectorNetwork (N)Exploited remotely via the LDAP login endpoint
Attack ComplexityLow (L)Single request with an empty password field
Privileges RequiredNone (N)No prior authentication needed
User InteractionNone (N)No victim interaction required
ScopeUnchanged (U)Impact within the application's authentication boundary
ConfidentialityHigh (H)Full access to victim's account data - chats, files, API keys, settings
IntegrityHigh (H)Can modify victim's data, settings, send messages as victim
AvailabilityNone (N)No direct denial of service

Attack Scenario

  1. LDAP authentication is enabled on the Open WebUI instance.
  2. The underlying LDAP server accepts unauthenticated simple binds (OpenLDAP default, some AD configs).
  3. Attacker sends:
   POST /api/v1/auths/ldap
   {"user": "admin_username", "password": ""}
  1. The app DN bind succeeds normally (line 366), finds the target user via LDAP search.
  2. The user bind (line 469-477) sends a Simple Bind with the target's DN and an empty password.
  3. The LDAP server returns success for the unauthenticated bind.
  4. authenticate_user_by_email (line 507) issues a full session token for the target user.
  5. Attacker has complete access to the victim's account.

Impact

  • Complete authentication bypass - any LDAP user account can be taken over without knowing the password
  • Includes admin accounts if they authenticate via LDAP
  • No rate limiting on the LDAP endpoint (unlike the password signin endpoint)
  • Zero interaction required from the victim

Preconditions

  • LDAP must be enabled (ENABLE_LDAP=True, disabled by default)
  • The LDAP server must accept unauthenticated simple binds with empty passwords (OpenLDAP default behavior, configurable on AD)
  • Attacker must know a valid LDAP username

AnalysisAI

Remote authentication bypass in Open WebUI LDAP integration (versions ≤0.8.12) allows complete account takeover by submitting empty passwords. The vulnerability exploits RFC 4513 unauthenticated simple bind semantics: when LDAP is enabled, attackers can authenticate as any user-including administrators-with zero knowledge of actual passwords, gaining full access to chats, files, API keys, and settings. Affects deployments using OpenLDAP default configurations or certain Active Directory setups that accept empty-password binds. Vendor-released patch: version 0.9.0. CVSS 9.1 (Critical) reflects network-accessible, zero-privilege, zero-interaction exploitation with high confidentiality and integrity impact.

Technical ContextAI

The vulnerability resides in Open WebUI's Python-based authentication router (auths.py) and data model (LdapForm in auths.py models). The Pydantic LdapForm class accepts password as an unconstrained string with no minimum length validation, allowing empty strings to pass. When LDAP authentication is enabled, the application performs a Simple Bind operation using the ldap3 library's Connection.bind() method with the user-supplied password. Per RFC 4513 Section 5.1.2, LDAP servers interpret a Simple Bind with a valid Distinguished Name (DN) and empty password as 'unauthenticated simple authentication'-many LDAP implementations, including OpenLDAP in default configuration and some Active Directory deployments, return success (resultCode 0) for this operation rather than rejecting it. Open WebUI does not validate password non-emptiness before the bind attempt, so successful bind responses trigger full session token issuance via authenticate_user_by_email. This represents CWE-287 (Improper Authentication), specifically a logic error where protocol-level semantics override application-level authentication intent. The vulnerability is in the application layer (pkg:pip/open-webui) rather than the LDAP servers themselves, which are behaving per RFC specification.

RemediationAI

Upgrade Open WebUI to version 0.9.0 immediately-this is the vendor-confirmed patched release that enforces non-empty password validation before LDAP bind operations (GitHub advisory GHSA-2r4p-jpmg-48f4). If immediate upgrade is not feasible, implement compensating controls: (1) configure backend LDAP server to reject Simple Binds with empty passwords-for OpenLDAP, add 'disallow bind_simple_unauth' to slapd.conf or 'olcDisallows: bind_simple_unauth' to cn=config; for Active Directory, verify that anonymous binds are disabled via 'dsHeuristics' attribute; (2) disable LDAP authentication entirely (set ENABLE_LDAP=False) and migrate to OAuth or local authentication until patching is completed; (3) implement network-layer access controls to restrict LDAP login endpoint (/api/v1/auths/ldap) to trusted IP ranges, though this only reduces attack surface and does not eliminate the vulnerability. Note that LDAP server-side hardening (option 1) introduces operational trade-offs-test thoroughly as some applications legitimately rely on anonymous bind for directory searches. The upgrade path to 0.9.0 is the only complete fix; compensating controls are temporary risk reduction measures only. Refer to https://github.com/open-webui/open-webui/security/advisories/GHSA-2r4p-jpmg-48f4 for official remediation guidance.

More in Python

View all
CVE-2025-24016 CRITICAL POC
9.9 Feb 10

Wazuh SIEM platform versions 4.4.0 through 4.9.0 contain an unsafe deserialization vulnerability in the DistributedAPI t

CVE-2025-27520 CRITICAL POC
9.8 Apr 04

BentoML version 1.4.2 and earlier contains an unauthenticated remote code execution vulnerability through insecure deser

CVE-2025-2945 CRITICAL POC
9.9 Apr 03

pgAdmin 4 contains critical remote code execution vulnerabilities in the Query Tool download and Cloud Deployment endpoi

CVE-2013-5093 MEDIUM POC
6.8 Sep 27

The renderLocalView function in render/views.py in graphite-web in Graphite 0.9.5 through 0.9.10 uses the pickle Python

CVE-2025-32375 CRITICAL POC
9.8 Apr 09

BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Rated critica

CVE-2014-0224 HIGH POC
7.4 Jun 05

OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCiph

CVE-2024-21644 HIGH POC
7.5 Jan 08

pyLoad download manager version prior to 0.5.0b3.dev77 exposes the Flask SECRET_KEY through an unauthenticated endpoint.

CVE-2017-9462 HIGH POC
8.8 Jun 06

In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and conse

CVE-2026-39987 CRITICAL POC
9.3 Apr 08

Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/

CVE-2024-21645 MEDIUM POC
5.3 Jan 08

pyLoad is the free and open-source Download Manager written in pure Python. Rated medium severity (CVSS 5.3), this vulne

CVE-2026-33017 CRITICAL POC
9.3 Mar 17

Langflow (a visual LLM pipeline builder) contains a critical unauthenticated code execution vulnerability (CVE-2026-3301

CVE-2026-55255 HIGH POC
8.4 Jun 19

Cross-user flow execution in Langflow (< 1.9.1) lets any authenticated API-key holder run another user's flow by passing

Share

EUVD-2026-30604 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy