Listen to this Post
How the vulnerability works (CVE-less but real issue):
The LDAP authentication endpoint fails to validate that the submitted password is non‑empty before performing a Simple Bind. The `LdapForm` Pydantic model accepts `password: str` with no minimum length, so an empty string passes validation. Per RFC 4513 §5.1.2, a Simple Bind with a valid DN and an empty password is “unauthenticated simple authentication.” Many LDAP servers (OpenLDAP default, some Active Directory setups) return success (resultCode 0) for this operation. The vulnerable code resides in `backend/open_webui/routers/auths.py` (lines 468‑477) where `Connection.bind()` is called with `form_data.password` (which can be ""). If the bind succeeds, execution continues and `authenticate_user_by_email` (line 507) issues a full session token. An attacker sends a POST to `/api/v1/auths/ldap` with {"user": "known_username", "password": ""}. Because the LDAP server treats empty‑password bind as unauthenticated, it returns success, and the application grants a valid session cookie. No rate limiting is applied on this endpoint. Preconditions: `ENABLE_LDAP=True` (disabled by default) and the LDAP server must accept unauthenticated simple binds. Impact: complete account takeover including admins with zero user interaction.
dailycve form (3 words max per line):
Platform: Open WebUI
Version: commit 6fdd19bf1
Vulnerability: LDAP empty bypass
Severity: Critical
date: 2026-05-08
Prediction: Patch 2026-05-15
What Undercode Say:
Check if LDAP enabled in env
grep ENABLE_LDAP .env || echo "LDAP likely disabled"
Test empty password bypass
curl -X POST https://target/api/v1/auths/ldap \
-H "Content-Type: application/json" \
-d '{"user":"admin","password":""}'
Extract session token from response (if vulnerable)
Monitor auths.py lines 468-477 for empty string
Exploit:
Send a single POST request with `”password”: “”` to the LDAP login endpoint using a known valid LDAP username. No prior authentication, no brute force, no user interaction. If LDAP server accepts unauthenticated binds, the application returns a valid session token for that user.
Protection from this CVE:
- Reject empty passwords before LDAP bind: add `min_length=1` to `LdapForm.password` field.
- In
auths.py, checkif not form_data.password: raise HTTPException. - Configure LDAP server to reject unauthenticated simple binds (e.g., OpenLDAP
disallow bind_anon; AD: disable “Allow anonymous LDAP operations”). - Set `ENABLE_LDAP=False` if not needed.
Impact:
Complete authentication bypass. Attacker gains full access to victim’s chats, files, API keys, settings, and can modify data or send messages as the victim, including admin accounts. No rate limiting exposes the endpoint to immediate automated attacks.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
