Open WebUI LDAP and OAuth Authentication Race Condition Vulnerability Allowing Unauthorized Admin Access

A race condition vulnerability has been identified in Open WebUI's LDAP and OAuth authentication flows, prior to version 0.9.0. This vulnerability arises from a Time-of-Check-Time-of-Use (TOCTOU) issue in the first-user admin role assignment process. The regular signup handler was patched to prevent this race condition, but the LDAP and OAuth paths were not updated, allowing multiple users to be concurrently assigned admin roles on a fresh instance with no existing users.

Impact

Exploitation of this vulnerability allows any user authenticated via LDAP or OAuth to gain administrative privileges, including access to all user data, system configurations, API keys, and connected LLM backends.

Reproduction

To reproduce this vulnerability, deploy Open WebUI with LDAP or OAuth enabled on a fresh instance where no users exist. Then, send multiple concurrent authentication requests from different users. All requests will pass the initial user count check simultaneously, resulting in multiple users being granted admin rights.

Remediation

Users should update to Open WebUI version 0.9.0 or later, where this vulnerability has been fixed. Instructions for updating can be found in the Open WebUI repository.