2 matches found
Race Condition
Overview open-webui is an Open WebUI Affected versions of this package are vulnerable to Race Condition through a race condition in the LDAP and OAuth authentication processes. An attacker can obtain administrative privileges by sending multiple concurrent authentication requests during the initi...
Open WebUI: LDAP and OAuth First-User Race Condition Allows Multiple Admin Accounts
Summary The LDAP and OAuth authentication flows use a TOCTOU Time-of-Check-Time-of-Use pattern for first-user admin role assignment. The regular signup handler signuphandler in auths.py, line 663 was explicitly patched to prevent this race with the comment "Insert with default role first to avoid...