TOCTOU Vulnerability in Open WebUI LDAP and OAuth Authentication
CVE-2026-45675

8.1HIGH

Key Information:

Vendor

Open-webui

Status
Open-webui
Vendor
CVE Published:
15 May 2026

What is CVE-2026-45675?

The Open WebUI, a self-hosted artificial intelligence platform, contains a vulnerability in its LDAP and OAuth authentication mechanisms. Specifically, prior to version 0.9.0, the system utilized a vulnerable TOCTOU (Time-of-Check-Time-of-Use) pattern when assigning first-user admin roles. Although the regular signup process was patched to mitigate this issue, the LDAP and OAuth authentication flows remained unaddressed, leaving a critical gap that could potentially allow unauthorized role assignments.

Affected Version(s)

open-webui < 0.9.0

References

https://github.com/open-webui/open-webui/security/advisor...
x_refsource_CONFIRM
https://github.com/open-webui/open-webui/pull/23626
x_refsource_MISC
https://github.com/open-webui/open-webui/commit/96a0b3239...
x_refsource_MISC

CVSS V3.1

Score:
8.1
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.