Information Exposure Through Timing Discrepancy in Open WebUI - #VU135958
Published: June 30, 2026
Open WebUI
Detailed vulnerability description
The vulnerability allows a remote attacker to disclose sensitive information about account existence.
The vulnerability exists due to observable timing discrepancy in /api/v1/auths/signin when handling signin requests. A remote attacker can send repeated login requests and measure response times to disclose sensitive information about account existence.
The response body remained the same for attempts, and the disclosure was limited to whether an email address was registered.