Information Exposure Through Timing Discrepancy in Open WebUI - #VU135958

 

Information Exposure Through Timing Discrepancy in Open WebUI - #VU135958

Published: June 30, 2026


Vulnerability identifier: #VU135958
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: N/A
CWE-ID: CWE-208
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: Open WebUI
Affected software:
Open WebUI

Detailed vulnerability description

The vulnerability allows a remote attacker to disclose sensitive information about account existence.

The vulnerability exists due to observable timing discrepancy in /api/v1/auths/signin when handling signin requests. A remote attacker can send repeated login requests and measure response times to disclose sensitive information about account existence.

The response body remained the same for attempts, and the disclosure was limited to whether an email address was registered.


Remediation

Install security update from vendor's website.

Sources