An authentication bypass vulnerability in Open WebUI allows unauthenticated attackers to gain unauthorized access to the platform via empty LDAP password submissions.

This is an authentication bypass vulnerability occurring in the LDAP bind process; the application fails to enforce a minimum length constraint on the password field, permitting an unauthenticated attacker to successfully bind as an arbitrary user.

Successful exploitation leads to full account takeover, granting attackers unauthorized access to sensitive AI data and administrative functions. With a CVSS score of 9.1, this represents a critical risk to data confidentiality and integrity.

Immediate Action: Upgrade the Open WebUI instance to version 0.9.0 or later to ensure proper LDAP password validation.

Proactive Monitoring: Review LDAP authentication logs for patterns of unusual bind requests or successful logins with anomalous user-agent strings.

Compensating Controls: Implement network-level restrictions to limit access to the login interface to trusted IP ranges until the patch can be applied.

Public Exploit Available: false

Given the critical severity of this authentication bypass, administrators must prioritize the update to version 0.9.0 immediately. Failure to patch leaves the platform vulnerable to trivial account takeover by unauthenticated remote actors.