CVE-2026-44551

Name of the Vulnerable Software and Affected Versions Open WebUI versions prior to 0.9.0

Description Open WebUI fails to validate that passwords are non-empty before performing LDAP Simple Bind authentication. On LDAP servers that permit unauthenticated empty-password binds, an attacker can authenticate as any valid LDAP user, including administrators, without knowing the credentials. This occurs because the LdapForm model does not enforce a minimum length for the password variable, allowing an empty string to reach the Connection.bind() function. If the LDAP server returns a success result for this operation, the application issues a full session token, leading to complete account takeover. The issue is exploitable via the '/api/v1/auths/ldap' endpoint by providing a valid username and an empty password.

Recommendations Update to version 0.9.0. As a temporary workaround, restrict access to the '/api/v1/auths/ldap' endpoint or disable LDAP authentication by setting ENABLE LDAP to False until the update is applied.