Main Vulnerability Database Vulnerabilities #VU130171

Improper Authentication in Open WebUI - #VU130171

Published: May 5, 2026

Vulnerability identifier: #VU130171

CSH Severity: High

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber

CVE-ID: N/A

CWE-ID: CWE-287

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Open WebUI

Affected software:
Open WebUI

Detailed vulnerability description

The vulnerability allows a remote attacker to bypass authentication and gain access to another user's account.

The vulnerability exists due to improper authentication in the LDAP authentication endpoint when processing LDAP login requests with an empty password. A remote attacker can submit a valid LDAP username and an empty password to bypass authentication and gain access to another user's account.

Exploitation requires LDAP authentication to be enabled, the underlying LDAP server to accept unauthenticated simple binds with empty passwords, and knowledge of a valid LDAP username.

Remediation

Install security update from vendor's website.

Sources

https://github.com/open-webui/open-webui/security/advisories/GHSA-2r4p-jpmg-48f4

Improper Authentication in Open WebUI - #VU130171

Detailed vulnerability description

Remediation

Sources

Please verify you're human