PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-59218 open-webui CVE debrief

CVE-2026-59218 is an account enumeration vulnerability in Open WebUI prior to version 0.10.0. This issue allows attackers to determine if an account exists by analyzing response times during the authentication process. The vulnerability is due to the /api/v1/auths/signin endpoint looking up users by email and only performing bcrypt password verification if a credential existed. This results in measurably slower response times for registered accounts compared to non-existent ones.

Vendor
open-webui
Product
Unknown
CVSS
MEDIUM 5.3
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-09
Original CVE updated
2026-07-10
Advisory published
2026-07-09
Advisory updated
2026-07-10

Who should care

Users of Open WebUI, especially those hosting it publicly, should be aware of this vulnerability and ensure they are running version 0.10.0 or later to mitigate the risk. This includes reviewing their current deployment status, assessing potential impact, and implementing necessary updates or mitigations.

Technical summary

The /api/v1/auths/signin endpoint in Open WebUI prior to 0.10.0 was vulnerable to account enumeration. The endpoint would look up users by email and only perform bcrypt password verification if a credential existed. This resulted in measurably slower response times for registered accounts compared to non-existent ones, allowing attackers to enumerate valid accounts. Users of Open WebUI should review their deployment and ensure they are running version 0.10.0 or later.

Defensive priority

Medium priority due to the relatively low CVSS score of 5.3 and the need for an attacker to have network access. However, users hosting Open WebUI publicly should take immediate action to mitigate potential risks.

Recommended defensive actions

  • Upgrade Open WebUI to version 0.10.0 or later
  • Implement additional monitoring for authentication attempts
  • Consider rate limiting authentication requests
  • Review compensating controls for exposed systems while remediation is scheduled and verified
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up

Evidence notes

The CVE record was published on 2026-07-09T17:17:02.750Z and last modified on 2026-07-10T18:30:58.837Z. The NVD entry is currently Analyzed. The Open WebUI platform has a self-hosted AI feature set. Users should verify their deployment status and review the official advisory for affected scope and vendor guidance.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-09T17:17:02.750Z and has not been modified since then. The NVD entry is currently Analyzed.