CVE-2026-44551: Open WebUI LDAP Bypass via Empty Password
The National Vulnerability Database has detailed CVE-2026-44551, a critical authentication bypass vulnerability affecting Open WebUI versions prior to 0.9.0. Open WebUI, a self-hosted offline AI platform, failed to validate that submitted LDAP passwords were non-empty before performing a Simple Bind. This oversight allowed an empty string to pass validation within the LdapForm Pydantic model.
Critically, vulnerable LDAP servers would then successfully process this empty password bind, leading the application to issue a full session token for the target user. This means an attacker could gain unauthorized access to any user account if the LDAP server is configured to permit binds with empty passwords. The National Vulnerability Database assigns this a CVSS score of 9.1 (Critical) with a vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N, highlighting the network-exploitable, low-complexity, and high-impact nature of this flaw.
This vulnerability, categorized under CWE-287 (Improper Authentication), underscores a fundamental security architecture flaw. Defenders must recognize that even seemingly minor input validation issues in authentication flows can have catastrophic consequences. The attacker’s calculus here is simple: try an empty password, and if the stars align with a misconfigured LDAP, full access is granted with zero credentials.
What This Means For You
- If your organization uses Open WebUI, immediately upgrade to version 0.9.0 or later to patch CVE-2026-44551. Furthermore, audit your LDAP server configurations to ensure they explicitly reject Simple Binds with empty passwords. This is a critical authentication bypass; assume compromise if you were running vulnerable versions and have not yet patched.
Related ATT&CK Techniques
🛡️ Detection Rules
2 rules · 6 SIEM formats2 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
CVE-2026-44551: Open WebUI LDAP Authentication Bypass via Empty Password
title: CVE-2026-44551: Open WebUI LDAP Authentication Bypass via Empty Password
id: scw-2026-05-15-ai-1
status: experimental
level: critical
description: |
Detects attempts to exploit CVE-2026-44551 by targeting the Open WebUI LDAP authentication endpoint with a POST request. The vulnerability allows an attacker to bypass authentication by submitting an empty password. This rule specifically looks for the '/api/auth/login' endpoint, POST method, and the presence of a 'username=' query parameter, which are indicative of the exploit attempt.
author: SCW Feed Engine (AI-generated)
date: 2026-05-15
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2026-44551/
tags:
- attack.initial_access
- attack.t1190
logsource:
category: authentication
detection:
selection:
cs-uri|contains:
- '/api/auth/login'
cs-method|contains:
- 'POST'
cs-uri-query|contains:
- 'username='
condition: selection
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-44551 | Auth Bypass | Open WebUI versions prior to 0.9.0 |
| CVE-2026-44551 | Auth Bypass | LDAP authentication endpoint in Open WebUI |
| CVE-2026-44551 | Auth Bypass | LdapForm Pydantic model accepts empty password string |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | May 15, 2026 at 23:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
radare2 Use-After-Free (CVE-2026-8696) Risks Denial of Service, RCE
CVE-2026-8696 — radare2 6.1.5 contains a use-after-free vulnerability in the gdbr_pids_list() function within the GDB client core that allows remote attackers to cause a denial...
CVE-2026-45675: Open WebUI Vulnerable to Admin Role Race Condition
CVE-2026-45675 — Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, he LDAP and OAuth authentication flows use...
CVE-2026-45671: Open WebUI File Deletion Flaw Impacts Self-Hosted AI
CVE-2026-45671 — Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, any authenticated user can permanently delete files...