CVE-2026-59218 in Open WebUI
Summary
by MITRE • 07/09/2026
Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. Prior to 0.10.0, the /api/v1/auths/signin endpoint looked users up by email and only ran bcrypt password verification when a credential existed, making registered-account attempts measurably slower than missing-email attempts and allowing unauthenticated account enumeration. This issue is fixed in version 0.10.0.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 07/09/2026
The vulnerability identified in Open WebUI versions prior to 0100 represents a critical security flaw that undermines the platform's authentication mechanism through timing-based account enumeration attacks. This weakness specifically affects the /api/v1/auths/signin endpoint which processes user authentication requests by first performing an email lookup operation before executing password verification. The implementation design creates a measurable timing difference between successful and failed authentication attempts, as the system only executes the computationally expensive bcrypt password hashing when a user account is found to exist. This differential processing time creates a side-channel attack vector that malicious actors can exploit to determine whether specific email addresses are registered within the system.
The technical nature of this vulnerability aligns with CWE-208, which describes timing attacks where attackers can infer information about system behavior through timing differences in execution. The flaw directly enables unauthorized account enumeration by allowing attackers to distinguish between valid and invalid email addresses based on response times from the authentication endpoint. When attempting to sign in with a known email address that exists in the system, the server performs additional cryptographic operations that extend the response time compared to attempts with non-existent email addresses. This timing variation occurs because the bcrypt password verification process is only invoked when an account lookup returns positive results, whereas non-existent accounts trigger immediate rejection without any password hashing computations.
The operational impact of this vulnerability extends beyond simple information disclosure, as it enables attackers to systematically identify valid user accounts within the Open WebUI platform. Security researchers and malicious actors can leverage this timing discrepancy to conduct automated enumeration campaigns, potentially leading to credential stuffing attacks against discovered email addresses or targeted brute force attempts against specific user accounts. The vulnerability particularly affects systems where user registration is not restricted to a specific set of known users, as attackers can enumerate legitimate accounts through simple API requests without requiring any prior access credentials. This weakness compromises the fundamental security principle of authentication systems that should provide consistent response times regardless of whether requested credentials exist.
The mitigation for this vulnerability requires implementing constant-time authentication responses that ensure cryptographic operations occur consistently regardless of account existence status. The fix implemented in version 0100 addresses this by ensuring that password verification occurs uniformly for all authentication attempts, eliminating the timing discrepancies that enabled enumeration attacks. This approach aligns with recommended practices from the OWASP Authentication Cheat Sheet and follows ATT&CK technique T1212 by preventing adversaries from extracting information through timing differences in system responses. Organizations should implement similar protections across all authentication endpoints and ensure that cryptographic operations maintain consistent execution times, regardless of input values or account status. The fix demonstrates the importance of considering side-channel attack vectors during security design reviews and emphasizes the need for defensive programming practices that prevent information leakage through timing variations in system behavior.