CVE-2026-44551 | THREATINT

Description

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, the LDAP authentication endpoint does not validate that the submitted password is non-empty before performing a Simple Bind against the LDAP server. The LdapForm Pydantic model accepts password: str with no minimum length constraint, so an empty string passes validation. The subsequent Connection.bind() call succeeds on vulnerable LDAP servers, and the application issues a full session token for the target user. This vulnerability is fixed in 0.9.0.

PUBLISHED Reserved 2026-05-06 | Published 2026-05-15 | Updated 2026-05-19 | Assigner GitHub_M

CRITICAL: 9.1CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Problem types

CWE-287: Improper Authentication

Product status

< 0.9.0

affected

References

github.com/...-webui/security/advisories/GHSA-2r4p-jpmg-48f4

cve.org (CVE-2026-44551)

nvd.nist.gov (CVE-2026-44551)

Download JSON