PatchSiren cyber security CVE debrief
CVE-2026-44551 open-webui CVE debrief
CVE-2026-44551 is a critical authentication flaw in Open WebUI prior to 0.9.0. The LDAP login path did not require a non-empty password before attempting a Simple Bind, and on vulnerable LDAP servers that bind could succeed and result in a full session token being issued for the target user.
- Vendor
- open-webui
- Product
- Unknown
- CVSS
- CRITICAL 9.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-15
- Original CVE updated
- 2026-05-18
- Advisory published
- 2026-05-15
- Advisory updated
- 2026-05-18
Who should care
Administrators and security teams running self-hosted Open WebUI deployments that use LDAP authentication, especially where LDAP server behavior may accept empty-password binds.
Technical summary
The issue is described as a missing validation step in the LDAP authentication endpoint: the submitted password was accepted as-is because the LdapForm Pydantic model allowed password:str without a minimum length constraint. An empty string could therefore reach Connection.bind(), and if the LDAP server accepted the bind, Open WebUI would create an authenticated session for the target user. NVD lists the vulnerability as affecting open_webui versions before 0.9.0 and maps it to CWE-287.
Defensive priority
High. This is an unauthenticated network-reachable authentication issue with potential impact to confidentiality and integrity, and NVD rates it CVSS 9.1/Critical.
Recommended defensive actions
- Upgrade Open WebUI to version 0.9.0 or later.
- If LDAP authentication is enabled, review the deployment’s login flow and confirm empty passwords are rejected before bind attempts.
- Check authentication and session logs for unexpected successful logins or session creation events tied to LDAP users.
- If practical in your environment, verify LDAP server policy does not permit empty-password Simple Bind behavior for this application path.
- Revoke or rotate active sessions after remediation if you have reason to suspect misuse.
Evidence notes
All substantive findings here come from the supplied CVE description and NVD metadata. The record states that Open WebUI prior to 0.9.0 lacked non-empty password validation in its LDAP authentication endpoint, that an empty password could pass validation, that Connection.bind() could succeed on vulnerable LDAP servers, and that a full session token could then be issued. NVD metadata also marks the issue as analyzed, assigns CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N, lists CWE-287, and indicates the vulnerable version range ends before 0.9.0.
Official resources
-
CVE-2026-44551 CVE record
CVE.org
-
CVE-2026-44551 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Exploit, Vendor Advisory
Publicly disclosed on 2026-05-15, with the supplied record later modified on 2026-05-18. The fix is noted as available in Open WebUI 0.9.0.