CVE-2026-45675

HIGH EPSS 27.3%
Published May 15, 20261mo ago · Modified Jun 18, 20261w ago
8.1 CVSS 3.1
High
Find Similar
Published May 15, 2026 1mo ago
Last Modified Jun 18, 2026 1w ago

Description

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, the LDAP and OAuth authentication flows use a TOCTOU (Time-of-Check-Time-of-Use) pattern for first-user admin role assignment. The regular signup handler (signup_handler in auths.py, line 663) was explicitly patched to prevent this race with the comment "Insert with default role first to avoid TOCTOU race", but the LDAP and OAuth code paths were never updated with the same fix. This vulnerability is fixed in 0.9.0.

CVSS Details

Base Score
8.1
Exploitability
2.2
Impact
5.9
Vector string
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector Network
Attack Complexity High
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality High
Integrity High
Availability High

Threat Intelligence

EPSS Exploit Probability
27.3% percentile
Exploit & Patch Status
Public Exploit Known
Patch Available

Weaknesses 2

CWE-269 Improper Privilege Management Authorization
CWE-362

Affected Products 1

VendorProductVersionRange
openwebuiopen_webui* <0.9.0

References 3

  • github.com https://github.com/open-webui/open-webui/commit/96a0b3239b1aadb23fc359bf10849c9ba12fd6ec
    Patch
  • github.com https://github.com/open-webui/open-webui/pull/23626
    Issue Tracking
  • github.com https://github.com/open-webui/open-webui/security/advisories/GHSA-h3ww-q6xx-w7x3
    ExploitMitigationVendor Advisory

Remediation

  • github.com https://github.com/open-webui/open-webui/commit/96a0b3239b1aadb23fc359bf10849c9ba12fd6ec
    Patch