CVE-2026-45675

Name of the Vulnerable Software and Affected Versions Open WebUI versions prior to 0.9.0

Description LDAP and OAuth authentication flows use a Time-of-Check-Time-of-Use (TOCTOU) pattern—a race condition where a system checks a condition and then uses the result of that check, but the condition changes between the check and the use—during the first-user admin role assignment. In these flows, the system determines the user role before inserting the user into the database. On a fresh instance, multiple concurrent authentication requests can simultaneously observe an empty database and be incorrectly assigned the admin role. This occurs because the has users() and get num users() checks are performed before the user is created. This issue affects the insert new auth() function and the get user role() function within the LDAP and OAuth paths.

Recommendations Update to version 0.9.0 or later.