CVE Catalog

CVE-2026-44551

Critical
Published: Translated: NVD NIST

Summary

In versions prior to 0.9.0 of the Open WebUI platform, the LDAP authentication endpoint does not validate that the submitted password is non-empty before performing a Simple Bind against the LDAP server. The LdapForm Pydantic model accepts password as a string with no minimum length requirement, allowing an empty string to pass validation.

Risk Assessment

As a result of this vulnerability, an attacker could obtain a full session token for the target user, posing a serious threat to data security and system access.

Recommendation

It is recommended to upgrade to version 0.9.0 or later to fix this vulnerability and to implement additional password validation mechanisms.

Original NVD description (English source)

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, the LDAP authentication endpoint does not validate that the submitted password is non-empty before performing a Simple Bind against the LDAP server. The LdapForm Pydantic model accepts password: str with no minimum length constraint, so an empty string passes validation. The subsequent Connection.bind() call succeeds on vulnerable LDAP servers, and the application issues a full session token for the target user. This vulnerability is fixed in 0.9.0.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS