CVE-2026-45675
HIGH EPSS 27.3%
Published May 15, 20261mo ago · Modified Jun 18, 20261w ago
8.1 CVSS 3.1
Published May 15, 2026 1mo ago
Last Modified Jun 18, 2026 1w ago
Description
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, the LDAP and OAuth authentication flows use a TOCTOU (Time-of-Check-Time-of-Use) pattern for first-user admin role assignment. The regular signup handler (signup_handler in auths.py, line 663) was explicitly patched to prevent this race with the comment "Insert with default role first to avoid TOCTOU race", but the LDAP and OAuth code paths were never updated with the same fix. This vulnerability is fixed in 0.9.0.
CVSS Details
Base Score
Exploitability
Impact
Vector string
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Attack Vector Network
Attack Complexity High
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality High
Integrity High
Availability High
Threat Intelligence
EPSS Exploit Probability
27.3% percentile
Exploit & Patch Status
Public Exploit Known
Patch Available
Weaknesses 2
CWE-269 Improper Privilege Management Authorization
CWE-362
Affected Products 1
| Vendor | Product | Version | Range |
|---|---|---|---|
| openwebui | open_webui | * | <0.9.0 |
References 3
- github.com https://github.com/open-webui/open-webui/commit/96a0b3239b1aadb23fc359bf10849c9ba12fd6ec
- github.com https://github.com/open-webui/open-webui/pull/23626
- github.com https://github.com/open-webui/open-webui/security/advisories/GHSA-h3ww-q6xx-w7x3
Remediation
- github.com https://github.com/open-webui/open-webui/commit/96a0b3239b1aadb23fc359bf10849c9ba12fd6ec