Race condition in Open WebUI - #VU131118
Published: May 12, 2026
Vulnerability identifier: #VU131118
CSH Severity: High
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: N/A
CWE-ID: CWE-362
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Open WebUI
Affected software:
Open WebUI
Open WebUI
Detailed vulnerability description
The vulnerability allows a remote attacker to escalate privileges to administrator.
The vulnerability exists due to a race condition in the LDAP and OAuth authentication flows when processing concurrent first-user authentication requests on a fresh instance. A remote attacker can send concurrent authentication requests to escalate privileges to administrator.
Exploitation is limited to deployments with LDAP or OAuth enabled and requires the instance to have no existing users.
Remediation
Install security update from vendor's website.