Impact
The LDAP authentication endpoint in Open WebUI, before version 0.9.0, does not enforce that a password must be non‑empty before attempting a Simple Bind. An attacker can submit an empty password string, which the Pydantic model accepts, and the bind succeeds on vulnerable LDAP servers. The application then issues a fully legitimate session token for the targeted LDAP user, effectively granting unauthorized access. The issue is classified as CWE‑287 and is resolved in version 0.9.0 by adding proper empty‑password validation in the LDAP module.
Affected Systems
All installations of Open WebUI older than 0.9.0 that use LDAP authentication via the exposed endpoint are vulnerable. This includes any deployment that relies on the Open WebUI product provided by the maintainer for user login through LDAP.
Risk and Exploitability
The vulnerability carries a CVSS score of 9.1 and an EPSS score of 1%, indicating a low but measurable risk of exploitation in the wild. It is not currently listed in the CISA KEV catalog. The likely attack vector is remote: an attacker able to reach the web host can send an HTTP request to the LDAP authentication endpoint with an empty password and obtain a valid session token for any existing LDAP user, thereby gaining the privileges associated with that account.
OpenCVE Enrichment
Github GHSA