CVE-2026-45675 Overview
CVE-2026-45675 is a Time-of-Check-Time-of-Use (TOCTOU) race condition in Open WebUI, a self-hosted artificial intelligence platform designed to operate entirely offline. The flaw exists in the Lightweight Directory Access Protocol (LDAP) and OAuth authentication flows, where first-user admin role assignment is vulnerable to concurrent registration. A prior patch to the regular signup_handler in auths.py addressed the same race for password-based signups, but the LDAP and OAuth code paths were never updated with the equivalent fix. The vulnerability is tracked under [CWE-269: Improper Privilege Management] and was fixed in version 0.9.0.
Critical Impact
Concurrent attackers registering through LDAP or OAuth can race the bootstrap check and gain administrative privileges on a freshly deployed Open WebUI instance.
Affected Products
- Open WebUI versions prior to 0.9.0
- Deployments using LDAP authentication
- Deployments using OAuth single sign-on (SSO)
Discovery Timeline
- 2026-05-15 - CVE-2026-45675 published to NVD
- 2026-05-19 - Last updated in NVD database
Technical Details for CVE-2026-45675
Vulnerability Analysis
Open WebUI bootstraps the first registered account into the admin role to enable initial configuration. In the patched password signup path, the code inserts the user with the default role first and then promotes the account only if it remains the sole user. The LDAP handler in backend/open_webui/routers/auths.py and the OAuth role resolver in backend/open_webui/utils/oauth.py computed the role before the insert. This created a window where two concurrent registrations could both observe Users.has_users() == False and both receive admin privileges.
An unauthenticated attacker who can reach the LDAP or OAuth registration endpoint on a fresh instance can race a legitimate first sign-in. The CVSS vector reflects high attack complexity because the race window is narrow and depends on timing, but successful exploitation grants full administrative control.
Root Cause
The role assignment logic read the user count and computed the role string in the same expression used during insert. Because the read and the write were not atomic, two requests interleaving between the check and the insert could each conclude they were the first user. The patched signup_handler had already documented this pattern with the comment Insert with default role first to avoid TOCTOU race, but that mitigation was not propagated to the LDAP and OAuth paths.
Attack Vector
Exploitation requires network access to a newly deployed Open WebUI instance with LDAP or OAuth enabled and no users yet provisioned. An attacker sends concurrent authentication requests timed to interleave with a legitimate first registration. If the race succeeds, the attacker's account is created with the admin role and inherits full platform privileges, including model configuration, user management, and access to stored conversations.
# Patched LDAP path in backend/open_webui/routers/auths.py
user = Users.get_user_by_email(email, db=db)
if not user:
try:
# Insert with default role first to avoid TOCTOU race on
# first-user registration. Matches signup_handler pattern.
user = Auths.insert_new_auth(
email=email,
password=str(uuid.uuid4()),
name=cn,
role=request.app.state.config.DEFAULT_USER_ROLE,
db=db,
)
if not user:
raise HTTPException(500, detail=ERROR_MESSAGES.CREATE_USER_ERROR)
# Atomically check if this is the only user *after* the
# insert. Only the single user present should become admin.
if Users.get_num_users(db=db) == 1:
Users.update_user_role_by_id(user.id, 'admin', db=db)
user = Users.get_user_by_id(user.id, db=db)
Source: Open WebUI commit 96a0b32
# Patched OAuth role resolver in backend/open_webui/utils/oauth.py
if not user and user_count == 0:
# First-user bootstrap: skip role management gating so the
# instance can be initialized. We intentionally return the
# default role here (not 'admin') - admin promotion happens
# race-safely *after* insert via get_num_users() == 1.
log.debug('First user bootstrap: using default role (admin promotion deferred to post-insert)')
return auth_manager_config.DEFAULT_USER_ROLE
Source: Open WebUI commit 96a0b32
Detection Methods for CVE-2026-45675
Indicators of Compromise
- Multiple user accounts holding the admin role on an instance that was expected to provision a single administrator.
- Concurrent or near-simultaneous LDAP or OAuth authentication requests in access logs during initial instance bootstrap.
- Admin role assignments originating from the LDAP or OAuth callback endpoints rather than the standard signup_handler path.
Detection Strategies
- Audit the Open WebUI user table for accounts with the admin role and verify each against approved administrators.
- Review application logs for Assigning the first user the admin role debug entries appearing more than once on the same instance.
- Correlate database insert timestamps for the first cohort of users to identify clustered registrations within a short window.
Monitoring Recommendations
- Forward Open WebUI authentication and audit logs to a centralized log store and alert on unexpected role escalations.
- Monitor reverse proxy logs for parallel POST requests to /api/v1/auths/ldap and OAuth callback URLs during deployment windows.
- Track the running version of Open WebUI across deployments and flag any instance below 0.9.0.
How to Mitigate CVE-2026-45675
Immediate Actions Required
- Upgrade Open WebUI to version 0.9.0 or later on all instances using LDAP or OAuth authentication.
- Inventory existing administrators on every Open WebUI deployment and demote any account that was not explicitly authorized.
- Rotate session tokens and OAuth client secrets if unauthorized admin accounts are discovered.
Patch Information
The fix is contained in commit 96a0b32 and merged via pull request #23626. It is released in Open WebUI 0.9.0. Refer to the GitHub Security Advisory GHSA-h3ww-q6xx-w7x3 for the full vendor notice.
Workarounds
- Provision the initial administrator account through the local signup_handler before enabling LDAP or OAuth registration.
- Restrict network access to LDAP and OAuth registration endpoints until the first administrator is established.
- Disable open registration via OAuth role management settings on instances that cannot immediately upgrade.
# Pin Open WebUI to the patched release
docker pull ghcr.io/open-webui/open-webui:0.9.0
docker stop open-webui && docker rm open-webui
docker run -d --name open-webui \
-p 3000:8080 \
-v open-webui:/app/backend/data \
ghcr.io/open-webui/open-webui:0.9.0
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
