GHSA-h3ww-q6xx-w7x3: Open WebUI: LDAP and OAuth First-User Race Condition Allows Multiple Admin Accounts
Summary
Open WebUI has a race condition (TOCTOU, or time-of-check-time-of-use, where a system checks a condition and then uses that information, but the condition can change in between) in its LDAP and OAuth login flows that allows multiple users to become administrators on a fresh installation. When the first user logs in via LDAP or OAuth, the system checks if the database is empty and assigns the admin role before creating the user account, but multiple concurrent login requests can all see an empty database and all become admins. The regular signup method was already fixed with a safer approach, but LDAP and OAuth were never updated with the same fix.
Solution / Mitigation
Fixed in v0.9.0 (April 2026). The LDAP and OAuth code paths were updated to use the same insert-first-check-after pattern as the signup handler: insert the new user with DEFAULT_USER_ROLE first without checking user count, then after the insert commits, atomically check if `Users.get_num_users() == 1`. Only if this user is the sole user in the database are they promoted to admin via `Users.update_user_role_by_id`. This ensures that if two concurrent first-user registrations both insert users, only one will see the count as 1 and receive admin promotion.
Vulnerability Details
EPSS: 0.0%
Yes
May 14, 2026
Classification
Affected Vendors
Affected Packages
Related Issues
Original source: https://github.com/advisories/GHSA-h3ww-q6xx-w7x3
First tracked: May 14, 2026 at 08:00 PM
Classified by LLM (prompt v3) · confidence: 85%