CVE-2026-45675 — HIGH (CVSS 8.1)

Q: Is CVE-2026-45675 actively exploited?

No confirmed active exploitation of CVE-2026-45675 has been reported, but organizations should still patch proactively.

Q: How to fix CVE-2026-45675?

1. Patch immediately: upgrade open-webui to v0.9.0 or later — both LDAP path (routers/auths.py) and OAuth path (utils/oauth.py) are fixed with the insert-first-check-after pattern. 2. If immediate upgrade is not possible: disable LDAP and OAuth authentication and require local account creation only until patched. 3. Audit: query the users table for multiple admin-role accounts with creation timestamps clustered within seconds of each other, particularly near instance initialization time. 4. Detection: review authentication logs for concurrent LDAP/OAuth requests from different source accounts during the first minutes of instance operation. 5. Post-discovery: if an unauthorized admin account is found, rotate all LLM API keys stored in Open WebUI settings and revoke the unauthorized account.

Q: What systems are affected by CVE-2026-45675?

This vulnerability affects the following AI/ML architecture patterns: LLM chat interfaces, Enterprise LDAP-integrated AI platforms, OAuth-authenticated LLM gateway deployments, Multi-user LLM API key management, RAG document store integrations.

Q: What is the CVSS score for CVE-2026-45675?

CVE-2026-45675 has a CVSS v3.1 base score of 8.1 (HIGH).

CISO Take

Open WebUI versions up to 0.8.12 contain a race condition in its LDAP and OAuth authentication flows where multiple concurrent first-login requests can all observe an empty user database and each receive administrator privileges — the same flaw that was already patched in the standard signup path but was never applied to the federated authentication code. With no prior account required and the race window structurally widened by the default per-request database session configuration, an adversary who times concurrent LDAP or OAuth requests during a fresh instance's onboarding moment gains full admin control of the LLM gateway, including all stored API keys for frontier model providers, complete user conversation history, and the ability to plant persistent backdoor accounts or manipulate system prompts for all users. The package carries 91 tracked CVEs and is a primary interface to high-value LLM backends in enterprise environments, making the blast radius significant despite the High Attack Complexity rating. Upgrade to v0.9.0 immediately; if patching is not possible, disable LDAP and OAuth in favor of local accounts and audit all admin accounts for unexpected entries clustered near initial deployment timestamps.

Sources: NVD GitHub Advisory ATLAS

What is the risk?

CVSS 8.1 High with network attack vector and zero privileges required. Attack complexity is rated High due to concurrency timing requirements, but the race window is structurally widened by the default DATABASE_ENABLE_SESSION_SHARING=False configuration — each concurrent request uses its own database session, increasing the window where all requests can simultaneously pass the has_users() check before any insert commits. The vulnerability is deterministic during a predictable operational moment (fresh instance onboarding), which an insider threat or targeted attacker could anticipate. No active exploitation reported, not in CISA KEV, EPSS not yet scored. Compensating factors: requires LDAP or OAuth to be enabled and the attack window is finite (only during the zero-user state). Post-exploit impact is effectively total platform compromise.

Attack Kill Chain

Target Identification

Adversary identifies a fresh Open WebUI instance with LDAP or OAuth enabled during initial deployment via network scanning, tech intelligence, or knowledge of the target's LLM infrastructure rollout timing.

AML.T0006

Concurrent Auth Exploit

Adversary sends multiple simultaneous LDAP or OAuth authentication requests before any user record is committed, exploiting the TOCTOU window where all requests observe an empty database and all receive the admin role pre-insert.

AML.T0049

Admin Persistence

One or more adversary-controlled accounts are persisted with admin role in the Open WebUI database, providing durable access to the LLM gateway independent of the race condition and surviving instance restarts.

AML.T0012

Platform Takeover

With admin access, adversary harvests stored LLM API keys, exfiltrates all user conversation histories, injects malicious system prompts affecting all platform users, or creates additional backdoor admin accounts.

AML.T0055

Target Identification

Adversary identifies a fresh Open WebUI instance with LDAP or OAuth enabled during initial deployment via network scanning, tech intelligence, or knowledge of the target's LLM infrastructure rollout timing.

AML.T0006

Concurrent Auth Exploit

Adversary sends multiple simultaneous LDAP or OAuth authentication requests before any user record is committed, exploiting the TOCTOU window where all requests observe an empty database and all receive the admin role pre-insert.

AML.T0049

Admin Persistence

One or more adversary-controlled accounts are persisted with admin role in the Open WebUI database, providing durable access to the LLM gateway independent of the race condition and surviving instance restarts.

AML.T0012

Platform Takeover

With admin access, adversary harvests stored LLM API keys, exfiltrates all user conversation histories, injects malicious system prompts affecting all platform users, or creates additional backdoor admin accounts.

AML.T0055

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
open-webui	pip	<= 0.8.12	`0.9.0`
136.3K Pushed 5d ago 75% patched ~4d to patch Full package profile →

Do you use open-webui? You're affected.

Severity & Risk

CVSS 3.1

8.1 / 10

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Moderate

Attack Surface

AV Network

AC High

PR None

UI None

S Unchanged

C High

I High

A High

What should I do?

5 steps

Patch immediately: upgrade open-webui to v0.9.0 or later — both LDAP path (routers/auths.py) and OAuth path (utils/oauth.py) are fixed with the insert-first-check-after pattern.
If immediate upgrade is not possible: disable LDAP and OAuth authentication and require local account creation only until patched.
Audit: query the users table for multiple admin-role accounts with creation timestamps clustered within seconds of each other, particularly near instance initialization time.
Detection: review authentication logs for concurrent LDAP/OAuth requests from different source accounts during the first minutes of instance operation.
Post-discovery: if an unauthorized admin account is found, rotate all LLM API keys stored in Open WebUI settings and revoke the unauthorized account.

Classification

Auth Bypass Data Extraction Framework API AML.T0012 - Valid Accounts AML.T0049 - Exploit Public-Facing Application AML.T0055 - Unsecured Credentials AML.T0085 - Data from AI Services

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.1.3 - Roles and responsibilities for AI systems

NIST AI RMF

GOVERN 1.2 - Accountability

OWASP LLM Top 10

LLM08:2023 - Excessive Agency

Frequently Asked Questions

What is CVE-2026-45675?

Open WebUI versions up to 0.8.12 contain a race condition in its LDAP and OAuth authentication flows where multiple concurrent first-login requests can all observe an empty user database and each receive administrator privileges — the same flaw that was already patched in the standard signup path but was never applied to the federated authentication code. With no prior account required and the race window structurally widened by the default per-request database session configuration, an adversary who times concurrent LDAP or OAuth requests during a fresh instance's onboarding moment gains full admin control of the LLM gateway, including all stored API keys for frontier model providers, complete user conversation history, and the ability to plant persistent backdoor accounts or manipulate system prompts for all users. The package carries 91 tracked CVEs and is a primary interface to high-value LLM backends in enterprise environments, making the blast radius significant despite the High Attack Complexity rating. Upgrade to v0.9.0 immediately; if patching is not possible, disable LDAP and OAuth in favor of local accounts and audit all admin accounts for unexpected entries clustered near initial deployment timestamps.

Is CVE-2026-45675 actively exploited?

No confirmed active exploitation of CVE-2026-45675 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-45675?

1. Patch immediately: upgrade open-webui to v0.9.0 or later — both LDAP path (routers/auths.py) and OAuth path (utils/oauth.py) are fixed with the insert-first-check-after pattern. 2. If immediate upgrade is not possible: disable LDAP and OAuth authentication and require local account creation only until patched. 3. Audit: query the users table for multiple admin-role accounts with creation timestamps clustered within seconds of each other, particularly near instance initialization time. 4. Detection: review authentication logs for concurrent LDAP/OAuth requests from different source accounts during the first minutes of instance operation. 5. Post-discovery: if an unauthorized admin account is found, rotate all LLM API keys stored in Open WebUI settings and revoke the unauthorized account.

What systems are affected by CVE-2026-45675?

This vulnerability affects the following AI/ML architecture patterns: LLM chat interfaces, Enterprise LDAP-integrated AI platforms, OAuth-authenticated LLM gateway deployments, Multi-user LLM API key management, RAG document store integrations.

What is the CVSS score for CVE-2026-45675?

CVE-2026-45675 has a CVSS v3.1 base score of 8.1 (HIGH).

Technical Details

NVD Description

## Summary The LDAP and OAuth authentication flows use a TOCTOU (Time-of-Check-Time-of-Use) pattern for first-user admin role assignment. The regular signup handler (`signup_handler` in auths.py, line 663) was explicitly patched to prevent this race with the comment *"Insert with default role first to avoid TOCTOU race"*, but the LDAP and OAuth code paths were never updated with the same fix. ## Vulnerable Code ### LDAP (auths.py, lines 479-490) ```python # Line 482 - CHECK: is the user table empty? role = 'admin' if not Users.has_users(db=db) else request.app.state.config.DEFAULT_USER_ROLE # Lines 484-490 - USE: create user with the role determined above user = Auths.insert_new_auth( email=email, password=str(uuid.uuid4()), name=cn, role=role, # <-- role was determined BEFORE insert, race window exists db=db, ) ``` ### OAuth (oauth.py, lines 1103-1112, 1566-1574) ```python # Line 1104 - CHECK: count users def get_user_role(self, user, user_data): user_count = Users.get_num_users() if not user and user_count == 0: return 'admin' # Line 1112 # Lines 1566-1574 - USE: create user with pre-determined role user = Auths.insert_new_auth( ... role=self.get_user_role(None, user_data), # Line 1571 ... ) ``` Both paths determine the role BEFORE inserting the user, creating a race window where multiple concurrent requests on a fresh instance can all observe an empty database and all receive the `admin` role. ## Comparison with Patched Signup The `signup_handler` (auths.py, line 663) was explicitly fixed: ```python # Insert with default role first to avoid TOCTOU race user = Auths.insert_new_auth(..., role=DEFAULT_USER_ROLE, ...) # Then check if this is the only user and upgrade if Users.get_num_users() == 1: Users.update_user_role_by_id(user.id, 'admin') ``` The LDAP and OAuth paths did NOT receive this fix. ## Exploitation 1. Deploy Open WebUI with LDAP or OAuth enabled on a fresh instance (no existing users) 2. Send multiple concurrent authentication requests from different users 3. Multiple requests pass the `has_users()` / `get_num_users() == 0` check simultaneously 4. All concurrent users become administrators `DATABASE_ENABLE_SESSION_SHARING` defaults to `False` (env.py:387), so each call uses its own database session, widening the race window. ## Impact Any LDAP/OAuth user who times their first login concurrently with the legitimate first admin can escalate to full admin privileges, gaining access to all user data, system configuration, API keys, and connected LLM backends. ## Suggested Fix Apply the same insert-then-check pattern used in `signup_handler`: insert the user with `DEFAULT_USER_ROLE` first, then atomically check if this is the only user and upgrade to admin only if so. ## Resolution Fixed in PR [#23626](https://github.com/open-webui/open-webui/pull/23626) (commit [96a0b3239](https://github.com/open-webui/open-webui/commit/96a0b3239b1aadb23fc359bf10849c9ba12fd6ec)), first released in **v0.9.0** (Apr 2026). Both LDAP (`routers/auths.py`) and OAuth (`utils/oauth.py`) registration paths now use the same insert-first-check-after pattern that `signup_handler` already had: 1. Insert the new user with `DEFAULT_USER_ROLE` unconditionally — no pre-insert role decision based on user count. 2. After the insert commits, atomically call `Users.get_num_users() == 1` to check whether this is the sole user. 3. Only the sole user gets promoted to `admin` via `Users.update_user_role_by_id`. `OAuthManager.get_user_role` was also updated to return `DEFAULT_USER_ROLE` (not `admin`) for first-user bootstrap; admin promotion is deferred to the post-insert check above. With this ordering, two concurrent first-user registrations that both observe an empty table can both insert, but only one will see `get_num_users() == 1` afterward — the other will see `== 2` and not be promoted. Users on `>= 0.9.0` are not affected.

Exploitation Scenario

An adversary identifies a target organization deploying Open WebUI with LDAP integration via job postings, tech stack reconnaissance, or internal network scanning. During the brief onboarding window when the legitimate first admin is configuring the fresh instance, the adversary simultaneously sends multiple concurrent LDAP authentication requests from different accounts they control. All requests hit Users.has_users() before any user record is committed — all observe an empty database and all are assigned the admin role by the pre-insert role decision logic. The adversary's accounts now have persistent admin access to the LLM gateway: they extract all stored API keys for OpenAI and Anthropic, read complete user conversation histories, inject malicious system prompts affecting all subsequent users, and create additional backdoor admin accounts before the legitimate admin notices unexpected entries in the user list.