High
github
·
GHSA-h3ww-q6xx-w7x3
Open WebUI: LDAP and OAuth First-User Race Condition Allows Multiple Admin Accounts
Published May 14, 2026
CVSS 8.1
Summary
The LDAP and OAuth authentication flows use a TOCTOU (Time-of-Check-Time-of-Use) pattern for first-user admin role assignment. The regular signup handler (signup_handler in auths.py, line 663) was explicitly patched to prevent this race with the comment "Insert with default role first to avoid TOCTOU race", but the LDAP and OAuth code paths were never updated with the same fix.
Vulnerable Code
LDAP (auths.py, lines 479-490)
# Line 482 - CHECK: is the user table empty?
role = 'admin' if not Users.has_users(db=db) else request.app.state.config.DEFAULT_USER_ROLE
# Lines 484-490 - USE: create user with the role determined above
user = Auths.insert_new_auth(
email=email,
password=str(uuid.uuid4()),
name=cn,
role=role, # = 0.9.0` are not affected.
Affected AI Products
llm