8.1
CVE-2026-45675
- EPSS 0.35%
- Veröffentlicht 15.05.2026 19:12:57
- Zuletzt bearbeitet 19.05.2026 14:16:46
- Quelle security-advisories@github.com
- CVE-Watchlists
- Unerledigt
LoginOpen WebUI: LDAP and OAuth First-User Race Condition Allows Multiple Admin Accounts
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, he LDAP and OAuth authentication flows use a TOCTOU (Time-of-Check-Time-of-Use) pattern for first-user admin role assignment. The regular signup handler (signup_handler in auths.py, line 663) was explicitly patched to prevent this race with the comment "Insert with default role first to avoid TOCTOU race", but the LDAP and OAuth code paths were never updated with the same fix. This vulnerability is fixed in 0.9.0.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Openwebui ≫ Open Webui Version < 0.9.0
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.35% | 0.271 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| security-advisories@github.com | 8.1 | 2.2 | 5.9 |
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
|
CWE-269 Improper Privilege Management
The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.
CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
The product contains a concurrent code sequence that requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence operating concurrently.
https://github.com/open-webui/open-webui/security/advisories/GHSA-h3ww-q6xx-w7x3
https://github.com/open-webui/open-webui/pull/23626
https://github.com/open-webui/open-webui/commit/96a0b3239b1aadb23fc359bf10849c9ba12fd6ec