Cyber Resilience

CVE-2026-44551

CriticalPublic PoC

Published: 15 May 2026

Published
15 May 2026
Modified
18 May 2026
KEV Added
Patch
CVSS Score v3.1 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS Score 0.0146 70.4th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-44551 is a critical-severity Improper Authentication (CWE-287) vulnerability in Openwebui Open Webui. Its CVSS base score is 9.1 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 29.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

This vulnerability is AI-related — categorised as LLM Application Platforms; in the Supply Chain and Deployment risk domain.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to version 0.9.0, its LDAP authentication endpoint fails to enforce a non-empty password requirement before issuing a Simple Bind request to the LDAP server. The LdapForm Pydantic model accepts a password field of type str without any minimum-length constraint, allowing an empty string to pass validation; when the downstream Connection.bind() call succeeds against permissive LDAP servers, the application then returns a full session token for the targeted account. The issue is tracked as CVE-2026-44551 with a CVSS 3.1 score of 9.1 and is assigned CWE-287.

An unauthenticated remote attacker can supply an empty password for any valid username at the LDAP login endpoint and obtain a valid session token, resulting in full account impersonation with high impact on confidentiality and integrity. No user interaction or prior credentials are required, and the attack succeeds against any LDAP server that treats an empty password as a successful bind.

The vulnerability is addressed in the 0.9.0 release, as documented in the project’s GitHub Security Advisory GHSA-2r4p-jpmg-48f4. The EPSS score remains flat at 0.0264 with no material increase after disclosure.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, the LDAP authentication endpoint does not validate that the submitted password is non-empty before performing a Simple Bind against the LDAP server. The LdapForm…

more

Pydantic model accepts password: str with no minimum length constraint, so an empty string passes validation. The subsequent Connection.bind() call succeeds on vulnerable LDAP servers, and the application issues a full session token for the target user. This vulnerability is fixed in 0.9.0.

CWE(s)

AI Security AnalysisAI

AI Category
LLM Application Platforms
Risk Domain
Supply Chain and Deployment
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: artificial intelligence, open webui

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Direct auth bypass in public-facing web app LDAP endpoint enables exploitation of the application for unauthorized access.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-45401Same product: Openwebui Open Webui
CVE-2026-44555Same product: Openwebui Open Webui
CVE-2026-45398Same product: Openwebui Open Webui
CVE-2026-45315Same product: Openwebui Open Webui
CVE-2026-45400Same product: Openwebui Open Webui
CVE-2026-45350Same product: Openwebui Open Webui
CVE-2026-45338Same product: Openwebui Open Webui
CVE-2026-34222Same product: Openwebui Open Webui
CVE-2026-45331Same product: Openwebui Open Webui
CVE-2026-44567Same product: Openwebui Open Webui

Affected Assets

openwebui
open webui
≤ 0.9.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires the system to enforce approved authentication policies before granting access, blocking the empty-password Simple Bind that bypasses LDAP credential checks.

prevent

Mandates validation of all inputs against security rules, which would have rejected the unconstrained empty password field accepted by the LdapForm Pydantic model.

prevent

Requires reliable identification and authentication mechanisms for users, exposing the missing non-empty password check that allowed unauthenticated session-token issuance.

References