AI Threat Alert

CVE-2026-44551: open-webui: LDAP auth bypass — full account takeover

GHSA-2r4p-jpmg-48f4 CRITICAL NUCLEI TEMPLATE CISA: TRACK*
Published May 8, 2026
CISO Take

Open WebUI contains a critical authentication bypass (CVSS 9.1) in its LDAP login endpoint: submitting any valid username with an empty password triggers an RFC 4513 unauthenticated simple bind, which OpenLDAP accepts by default, resulting in a full session token for the target account — including admin accounts — with a single unauthenticated HTTP request. LDAP is disabled by default (ENABLE_LDAP=True required), but any enterprise deployment using directory-based SSO is fully exposed; the package carries 52 other tracked CVEs and a risk score of 38/100, signaling a pattern of ongoing security debt. No public exploit or active KEV listing exists yet, but the trivial exploitation complexity means weaponization is a matter of hours once this advisory circulates. Upgrade immediately to open-webui 0.9.0; if patching is delayed, disable LDAP or configure your LDAP server to reject unauthenticated simple binds (OpenLDAP: 'disallow unauthenticated' in slapd.conf).

Sources: GitHub Advisory ATLAS

What is the risk?

CRITICAL. Network-exploitable with a single unauthenticated HTTP POST requiring only a known username — no tooling, credentials, or AI/ML knowledge needed. While LDAP must be explicitly enabled, enterprise deployments of Open WebUI routinely integrate directory services for multi-user access, making this a high-value target in corporate environments. Complete account takeover includes access to stored LLM API keys (OpenAI, Anthropic), conversation history, and platform admin controls. No rate limiting exists on the LDAP endpoint unlike the password signin flow, enabling rapid enumeration and takeover of multiple accounts.

How does the attack unfold?

Reconnaissance
Adversary identifies Open WebUI instance with LDAP enabled and collects valid LDAP usernames via OSINT (LinkedIn, application responses) or directory enumeration.
AML.T0006
Initial Access
Adversary sends POST /api/v1/auths/ldap with a known username and empty password string, triggering the vulnerable LDAP Simple Bind code path.
AML.T0049
Authentication Bypass
LDAP server returns success for the empty-password bind per RFC 4513 §5.1.2; application issues a full JWT session token for the victim without password verification.
AML.T0012
Impact
Adversary accesses victim's AI conversations, exfiltrates stored LLM API keys, and if admin — gains full platform control including model endpoint reconfiguration.
AML.T0085

What systems are affected?

Package Ecosystem Vulnerable Range Patched
Open WebUI pip <= 0.8.12 0.9.0
142.4K Pushed 3d ago 77% patched ~4d to patch Full package profile →

Do you use Open WebUI? You're affected.

How severe is it?

CVSS 3.1
9.1 / 10
EPSS
1.3%
chance of exploitation in 30 days
Higher than 66% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Possible
Exploitation: LOW
Sophistication
Trivial
Exploitation Confidence
low
Nuclei detection template available
Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR None
UI None
S Unchanged
C High
I High
A None

What should I do?

5 steps

  1. PATCH

    Upgrade to open-webui 0.9.0 immediately — fix adds min_length=1 constraint to LdapForm.password field.

  2. WORKAROUND

    If immediate upgrade is not possible, set ENABLE_LDAP=False and switch to alternative authentication until patched.

  3. LDAP HARDENING

    Configure OpenLDAP with 'disallow unauthenticated' in slapd.conf; on Active Directory, enforce LDAP signing and disable anonymous/unauthenticated binds via Group Policy (Network security: LDAP client signing requirements).

  4. DETECTION

    Query application access logs for POST /api/v1/auths/ldap requests with empty or missing password fields; audit LDAP server logs for bind operations with zero-length passwords.

  5. POST-INCIDENT: Rotate all LLM API keys stored in Open WebUI user accounts (OpenAI, Anthropic, etc.), invalidate all active sessions, and review conversation history for data exfiltration indicators.

What does CISA's SSVC say?

Decision Track*
Exploitation none
Automatable Yes
Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Auth Bypass Data Extraction Framework API AML.T0012 AML.T0049 AML.T0085 AML.T0106

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, robustness and cybersecurity
ISO 42001
A.6.1.2 - Access to networks and network services
NIST AI RMF
GOVERN 1.1 - Policies and procedures for AI risk management
OWASP LLM Top 10
LLM06 - Sensitive Information Disclosure

Frequently Asked Questions

What is CVE-2026-44551?

Open WebUI contains a critical authentication bypass (CVSS 9.1) in its LDAP login endpoint: submitting any valid username with an empty password triggers an RFC 4513 unauthenticated simple bind, which OpenLDAP accepts by default, resulting in a full session token for the target account — including admin accounts — with a single unauthenticated HTTP request. LDAP is disabled by default (ENABLE_LDAP=True required), but any enterprise deployment using directory-based SSO is fully exposed; the package carries 52 other tracked CVEs and a risk score of 38/100, signaling a pattern of ongoing security debt. No public exploit or active KEV listing exists yet, but the trivial exploitation complexity means weaponization is a matter of hours once this advisory circulates. Upgrade immediately to open-webui 0.9.0; if patching is delayed, disable LDAP or configure your LDAP server to reject unauthenticated simple binds (OpenLDAP: 'disallow unauthenticated' in slapd.conf).

Is CVE-2026-44551 actively exploited?

No confirmed active exploitation of CVE-2026-44551 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-44551?

1. PATCH: Upgrade to open-webui 0.9.0 immediately — fix adds min_length=1 constraint to LdapForm.password field. 2. WORKAROUND: If immediate upgrade is not possible, set ENABLE_LDAP=False and switch to alternative authentication until patched. 3. LDAP HARDENING: Configure OpenLDAP with 'disallow unauthenticated' in slapd.conf; on Active Directory, enforce LDAP signing and disable anonymous/unauthenticated binds via Group Policy (Network security: LDAP client signing requirements). 4. DETECTION: Query application access logs for POST /api/v1/auths/ldap requests with empty or missing password fields; audit LDAP server logs for bind operations with zero-length passwords. 5. POST-INCIDENT: Rotate all LLM API keys stored in Open WebUI user accounts (OpenAI, Anthropic, etc.), invalidate all active sessions, and review conversation history for data exfiltration indicators.

What systems are affected by CVE-2026-44551?

This vulnerability affects the following AI/ML architecture patterns: LLM chat interfaces with enterprise LDAP SSO, Multi-user AI platforms, Model serving frontends, Enterprise AI deployments with directory-based access control.

What is the CVSS score for CVE-2026-44551?

CVE-2026-44551 has a CVSS v3.1 base score of 9.1 (CRITICAL). The EPSS exploitation probability is 1.26%.

What is the AI security impact?

Affected AI Architectures

LLM chat interfaces with enterprise LDAP SSOMulti-user AI platformsModel serving frontendsEnterprise AI deployments with directory-based access control

MITRE ATLAS Techniques

AML.T0012 Valid Accounts
AML.T0049 Exploit Public-Facing Application
AML.T0085 Data from AI Services
AML.T0106 Exploitation for Credential Access

Compliance Controls Affected

EU AI Act: Article 15
ISO 42001: A.6.1.2
NIST AI RMF: GOVERN 1.1
OWASP LLM Top 10: LLM06

What are the technical details?

Original Advisory

# LDAP Empty Password Authentication Bypass ## Affected Component LDAP authentication endpoint: - `backend/open_webui/routers/auths.py` (lines 468-477, user bind with empty password) - `backend/open_webui/models/auths.py` (lines 58-60, `LdapForm` model) ## Affected Versions Current main branch (commit `6fdd19bf1`) and likely all versions with LDAP authentication support. ## Description The LDAP authentication endpoint does not validate that the submitted password is non-empty before performing a Simple Bind against the LDAP server. Per RFC 4513 Section 5.1.2, a Simple Bind with a valid DN and an empty password constitutes an "unauthenticated simple authentication" — many LDAP servers (including OpenLDAP in default configuration and some Active Directory setups) return success (resultCode 0) for this operation. The `LdapForm` Pydantic model accepts `password: str` with no minimum length constraint, so an empty string passes validation. The subsequent `Connection.bind()` call succeeds on vulnerable LDAP servers, and the application issues a full session token for the target user. ```python # models/auths.py:58-60 — no min_length on password class LdapForm(BaseModel): user: str password: str # auths.py:469-477 — empty password reaches LDAP bind connection_user = Connection( server, user_dn, form_data.password, # can be "" auto_bind='NONE', authentication='SIMPLE', ) if not await asyncio.to_thread(connection_user.bind): raise HTTPException(400, 'Authentication failed.') # If bind succeeds (which it does with empty password on many servers), # execution continues and a full session token is issued ``` ## CVSS 3.1 Breakdown | Metric | Value | Rationale | |--------|-------|-----------| | Attack Vector | Network (N) | Exploited remotely via the LDAP login endpoint | | Attack Complexity | Low (L) | Single request with an empty password field | | Privileges Required | None (N) | No prior authentication needed | | User Interaction | None (N) | No victim interaction required | | Scope | Unchanged (U) | Impact within the application's authentication boundary | | Confidentiality | High (H) | Full access to victim's account data — chats, files, API keys, settings | | Integrity | High (H) | Can modify victim's data, settings, send messages as victim | | Availability | None (N) | No direct denial of service | ## Attack Scenario 1. LDAP authentication is enabled on the Open WebUI instance. 2. The underlying LDAP server accepts unauthenticated simple binds (OpenLDAP default, some AD configs). 3. Attacker sends: ``` POST /api/v1/auths/ldap {"user": "admin_username", "password": ""} ``` 4. The app DN bind succeeds normally (line 366), finds the target user via LDAP search. 5. The user bind (line 469-477) sends a Simple Bind with the target's DN and an empty password. 6. The LDAP server returns success for the unauthenticated bind. 7. `authenticate_user_by_email` (line 507) issues a full session token for the target user. 8. Attacker has complete access to the victim's account. ## Impact - Complete authentication bypass — any LDAP user account can be taken over without knowing the password - Includes admin accounts if they authenticate via LDAP - No rate limiting on the LDAP endpoint (unlike the password signin endpoint) - Zero interaction required from the victim ## Preconditions - LDAP must be enabled (`ENABLE_LDAP=True`, disabled by default) - The LDAP server must accept unauthenticated simple binds with empty passwords (OpenLDAP default behavior, configurable on AD) - Attacker must know a valid LDAP username

Exploitation Scenario

An adversary targeting an enterprise AI platform built on Open WebUI performs OSINT to identify LDAP usernames — LinkedIn profiles, application error messages that confirm valid accounts, or if anonymous LDAP binds are enabled, direct directory enumeration. The attacker sends POST /api/v1/auths/ldap with the target admin username and an empty password string. The application's service account bind succeeds normally, locates the target's DN, then performs a Simple Bind with that DN and an empty password string. The LDAP server returns resultCode 0 per RFC 4513 §5.1.2 (unauthenticated simple authentication). The application proceeds to issue a full JWT session token. The adversary now controls the admin account: they can access all user conversations (including those containing proprietary business context fed to LLMs), exfiltrate stored API keys to pivot to the organization's LLM provider accounts, and reconfigure model endpoints to attacker-controlled infrastructure for ongoing prompt surveillance.

Weaknesses (CWE)

CWE-287 Improper Authentication Primary

CWE-287 — Improper Authentication: When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

  • [Architecture and Design] Use an authentication framework or library such as the OWASP ESAPI Authentication feature.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

References

Timeline

Published
May 8, 2026
Last Modified
May 8, 2026
First Seen
May 8, 2026

Scanner Template Available

A Nuclei vulnerability scanner template exists for this CVE. You can scan your infrastructure for this vulnerability immediately.

View template on GitHub
nuclei -t http/cves/2026/CVE-2026-44551.yaml -u https://target.example.com

Related Vulnerabilities

HIGH CVE-2026-45672 8.8

open-webui: code exec gate bypass via API endpoint

Same package: open-webui
HIGH CVE-2026-44552 8.7

open-webui: Redis cache poisoning enables cross-instance tool hijack

Same package: open-webui
HIGH CVE-2025-64495 8.7

Open WebUI: XSS-to-RCE via malicious prompt injection

Same package: open-webui
HIGH CVE-2026-45315 8.7

open-webui: stored XSS → JWT theft and admin takeover

Same package: open-webui
HIGH CVE-2026-54011 8.7

Open WebUI: Stored XSS via Mermaid loose mode in preview

Same package: open-webui
Back to Threat Feed