HomeCVE Intelligence › CVE-2026-45675
CVSS 8.1 HIGH Vulnerability

CVE-2026-45675: Open WebUI: LDAP and OAuth First-User Race Condition Allows Multiple Admin Accounts

Summary The LDAP and OAuth authentication flows use a TOCTOU (Time-of-Check-Time-of-Use) pattern for first-user admin role assignment. The regular signup handler (signup_handler in auths.py, line 663) was explicitly pat…

8.1CVSS Score
HIGHSeverity
NOCISA KEV
VulnerabilityImpact Type

📋 Vulnerability Details

CVE IDCVE-2026-45675
Vendorpip
Affected Productopen-webui
Vulnerability TypeVulnerability
CVSS Score8.1 (HIGH)
Actively Exploited❌ No known exploitation
Patch StatusSee Vendor Advisory →
Reported ByCYBERDUDEBIVASH SENTINEL APEX Intelligence (via github_advisories)

🔬 Technical Analysis

#

Summary The LDAP and OAuth authentication flows use a TOCTOU (Time-of-Check-Time-of-Use) pattern for first-user admin role assignment. The regular signup handler (signup_handler in auths.py, line 663) was explicitly patched to prevent this race with the comment *"Insert with default role first to avoid TOCTOU race"*, but the LDAP and OAuth code paths were never updated with the same fix.

Vulnerable Code

LDAP (auths.py, lines 479-490)

``python

Line 482 - CHECK: is the user table empty?

role = 'admin' if not Users.has_users(db=db) else request.app.state.config.DEFAULT_USER_ROLE

Lines 484-490 - USE: create user with the role determined above

user = Auths.insert_new_auth( email=email, password=str(uuid.uuid4()), name=cn, role=role,

= 0.9.0 are not affected.

📚 Advisory References

⚡ DETECTION RULES AVAILABLE

Get CVE-2026-45675 Detection Pack

Sigma rules, YARA signatures, IOC table, and SIEM queries for Splunk, Elastic, Sentinel, and Chronicle — deployable in 5 minutes.

✓ Sigma Rules ✓ YARA Pack ✓ IOC Table ✓ SIEM Queries
🛡️ Get Detection Pack → 🔌 Access via API →

🔗 Related Intelligence