CVE 9.1 CRITICAL

Open WebUI: LDAP Empty Password Authentication Bypass_CVE-2026-44551

May 15, 2026 invoker category_cve

9.1 / 10

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Description

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, the LDAP authentication endpoint does not validate that the submitted password is non-empty before performing a Simple Bind against the LDAP server. The LdapForm Pydantic model accepts password: str with no minimum length constraint, so an empty string passes validation. The subsequent Connection.bind() call succeeds on vulnerable LDAP servers, and the application issues a full session token for the target user. This vulnerability is fixed in 0.9.0.

AI Analysis

LDAP Empty Password Authentication Bypass vulnerability in Open WebUI prior to 0.9.0

Basic Information

ID CVE-2026-44551

Source GitHub_M

Published May 15, 2026 at 19:59

Affected Product

Vendor open-webui

Product open-webui

Version < 0.9.0

Affected Versions open-webui open-webui < 0.9.0

CWE Classification

CWE-287

AI Assessment

AI Score 9.1 / 10

AI Severity Critical

Vendor Open WebUI

Product Open WebUI

Version < 0.9.0

References

github.com /open-webui/open-webui/security/advisories/GHSA-2r4p-jpmg-48f4

{
    "lastseen": "",
    "description": "Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, the LDAP authentication endpoint does not validate that the submitted password is non-empty before performing a Simple Bind against the LDAP server. The LdapForm Pydantic model accepts password: str with no minimum length constraint, so an empty string passes validation. The subsequent Connection.bind() call succeeds on vulnerable LDAP servers, and the application issues a full session token for the target user. This vulnerability is fixed in 0.9.0.",
    "published": "2026-05-15T19:59:35.011Z",
    "modified": "2026-05-15T19:59:35.011Z",
    "type": "cve",
    "title": "Open WebUI: LDAP Empty Password Authentication Bypass",
    "source": "GitHub_M",
    "references": "https://github.com/open-webui/open-webui/security/advisories/GHSA-2r4p-jpmg-48f4",
    "id": "CVE-2026-44551",
    "bulletinFamily": "",
    "cwe": [
        "CWE-287"
    ],
    "cvelist": null,
    "sourceData": "open-webui open-webui < 0.9.0",
    "sourceHref": "",
    "cvss": {
        "score": 9.1,
        "severity": "CRITICAL",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "open-webui",
    "version": "< 0.9.0",
    "vendor": "open-webui",
    "ai_description": "LDAP Empty Password Authentication Bypass vulnerability in Open WebUI prior to 0.9.0",
    "ai_severity": "Critical",
    "ai_vendor": "Open WebUI",
    "ai_product": "Open WebUI",
    "ai_version": "< 0.9.0",
    "ai_score": 9.1
}

💭 Join the Security Discussion ❌ Cancel Reply