CVE-2026-45675: Open WebUI: LDAP and OAuth First-User Race Condition Allows Multiple Admin Accounts
(updated )
The LDAP and OAuth authentication flows use a TOCTOU (Time-of-Check-Time-of-Use) pattern for first-user admin role assignment. The regular signup handler (signup_handler in auths.py, line 663) was explicitly patched to prevent this race with the comment “Insert with default role first to avoid TOCTOU race”, but the LDAP and OAuth code paths were never updated with the same fix.
References
- github.com/advisories/GHSA-h3ww-q6xx-w7x3
- github.com/open-webui/open-webui/commit/96a0b3239b1aadb23fc359bf10849c9ba12fd6ec
- github.com/open-webui/open-webui/pull/23626
- github.com/open-webui/open-webui/releases/tag/v0.9.0
- github.com/open-webui/open-webui/security/advisories/GHSA-h3ww-q6xx-w7x3
- nvd.nist.gov/vuln/detail/CVE-2026-45675
Code Behaviors & Features
Detect and mitigate CVE-2026-45675 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →