CVE-2026-45675

Source
https://cve.org/CVERecord?id=CVE-2026-45675
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-45675.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-45675
Aliases
Published
2026-05-15T19:12:57.665Z
Modified
2026-07-08T08:13:29.869789004Z
Severity
  • 8.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
Open WebUI: LDAP and OAuth First-User Race Condition Allows Multiple Admin Accounts
Details

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, the LDAP and OAuth authentication flows use a TOCTOU (Time-of-Check-Time-of-Use) pattern for first-user admin role assignment. The regular signup handler (signup_handler in auths.py, line 663) was explicitly patched to prevent this race with the comment "Insert with default role first to avoid TOCTOU race", but the LDAP and OAuth code paths were never updated with the same fix. This vulnerability is fixed in 0.9.0.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/45xxx/CVE-2026-45675.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-269",
        "CWE-362"
    ]
}
References

Affected packages

Git / github.com/open-webui/open-webui

Affected ranges

Type
GIT
Repo
https://github.com/open-webui/open-webui
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Fixed
Database specific
{
    "source": [
        "CPE_RANGE",
        "REFERENCES"
    ],
    "cpe": "cpe:2.3:a:openwebui:open_webui:*:*:*:*:*:*:*:*",
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "0.9.0"
        }
    ]
}

Affected versions

v0.*
v0.1.102
v0.1.103
v0.1.104
v0.1.105
v0.1.106
v0.1.107
v0.1.108
v0.1.109
v0.1.110
v0.1.111
v0.1.112
v0.1.113
v0.1.114
v0.1.115
v0.1.116
v0.1.117
v0.1.118
v0.1.119
v0.1.120
v0.1.121
v0.1.122
v0.1.123
v0.1.124
v0.1.125
v0.2.0
v0.2.1
v0.2.2
v0.2.3
v0.2.4
v0.2.5
v0.3.0
v0.3.1
v0.3.10
v0.3.11
v0.3.12
v0.3.13
v0.3.14
v0.3.15
v0.3.16
v0.3.17
v0.3.18
v0.3.19
v0.3.2
v0.3.20
v0.3.21
v0.3.22
v0.3.23
v0.3.24
v0.3.25
v0.3.26
v0.3.27
v0.3.28
v0.3.29
v0.3.3
v0.3.30
v0.3.31
v0.3.32
v0.3.33
v0.3.34
v0.3.35
v0.3.4
v0.3.5
v0.3.6
v0.3.7
v0.3.8
v0.3.9
v0.4.0
v0.4.1
v0.4.2
v0.4.3
v0.4.4
v0.4.5
v0.4.6
v0.4.7
v0.4.8
v0.5.0
v0.5.1
v0.5.10
v0.5.11
v0.5.12
v0.5.13
v0.5.14
v0.5.15
v0.5.16
v0.5.17
v0.5.18
v0.5.19
v0.5.2
v0.5.20
v0.5.3
v0.5.4
v0.5.5
v0.5.6
v0.5.7
v0.5.8
v0.5.9
v0.6.0
v0.6.1
v0.6.10
v0.6.11
v0.6.12
v0.6.13
v0.6.14
v0.6.15
v0.6.16
v0.6.17
v0.6.18
v0.6.19
v0.6.2
v0.6.20
v0.6.21
v0.6.22
v0.6.23
v0.6.24
v0.6.25
v0.6.26
v0.6.27
v0.6.28
v0.6.29
v0.6.3
v0.6.30
v0.6.31
v0.6.32
v0.6.33
v0.6.34
v0.6.35
v0.6.36
v0.6.37
v0.6.38
v0.6.39
v0.6.4
v0.6.40
v0.6.41
v0.6.42
v0.6.43
v0.6.5
v0.6.6
v0.6.7
v0.6.8
v0.6.9
v0.7.0
v0.7.1
v0.7.2
v0.8.0
v0.8.1
v0.8.10
v0.8.11
v0.8.12
v0.8.2
v0.8.3
v0.8.4
v0.8.5
v0.8.6
v0.8.7
v0.8.8
v0.8.9

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-45675.json"