CVE-2026-59218
Received Received - Intake

Unauthenticated Account Enumeration in Open WebUI

Vulnerability report for CVE-2026-59218, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-09

Last updated on: 2026-07-09

Assigner: GitHub, Inc.

Description

Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. Prior to 0.10.0, the /api/v1/auths/signin endpoint looked users up by email and only ran bcrypt password verification when a credential existed, making registered-account attempts measurably slower than missing-email attempts and allowing unauthenticated account enumeration. This issue is fixed in version 0.10.0.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-09
Last Modified
2026-07-09
Generated
2026-07-09
AI Q&A
2026-07-09
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
open_webui open_webui to 0.10.0 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-208 Two separate operations in a product require different amounts of time to complete, in a way that is observable to an actor and reveals security-relevant information about the state of the product, such as whether a particular operation was successful or not.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-59218 is a timing side channel vulnerability in the Open WebUI platform prior to version 0.10.0. The /api/v1/auths/signin endpoint handled login attempts differently based on whether the email existed in the system. Specifically, password verification using bcrypt was only performed if the email was registered, causing login attempts with valid emails to take longer (~180 ms) than attempts with non-existent emails (~5 ms). This timing difference allowed unauthenticated attackers to enumerate valid user accounts by measuring response times.

The vulnerability was fixed in version 0.10.0 by introducing a placeholder bcrypt hash that is verified for all login attempts, regardless of whether the email exists. This change ensures consistent response times and prevents attackers from distinguishing valid accounts based on timing.

Impact Analysis

This vulnerability allows an unauthenticated attacker to perform account enumeration by measuring the time it takes for the system to respond to login attempts. Knowing which email addresses are registered can facilitate targeted attacks such as phishing, password guessing, or social engineering.

Although the vulnerability does not directly allow password compromise or system access, it leaks sensitive information about user accounts, which can be leveraged in further attacks.

The vulnerability has a moderate severity rating with a CVSS score of 5.3, reflecting its potential impact on confidentiality through information disclosure.

Compliance Impact

The vulnerability allows unauthenticated attackers to enumerate valid user accounts by exploiting timing differences in the login process. This could lead to unauthorized disclosure of user existence information.

Such account enumeration issues can impact compliance with data protection regulations like GDPR and HIPAA, which require safeguarding personal data and preventing unauthorized access or disclosure of user information.

By enabling attackers to confirm registered email addresses, the vulnerability increases the risk of targeted attacks or phishing, potentially compromising user privacy and violating regulatory requirements for protecting user identity and access information.

The issue was fixed in version 0.10.0 by ensuring consistent response times during authentication attempts, mitigating the risk of account enumeration and helping maintain compliance with such standards.

Detection Guidance

This vulnerability can be detected by measuring the response times of the /api/v1/auths/signin endpoint when attempting to sign in with different email addresses.

Specifically, an attacker can observe that login attempts with non-existent emails respond faster (~5 ms) than those with valid emails (~180 ms) due to the bcrypt password verification only running for existing accounts.

To detect this on your system, you can perform timing analysis by sending multiple signin requests with various email addresses and measuring the response times to identify discrepancies.

  • Use curl or similar HTTP clients to send POST requests to /api/v1/auths/signin with different email payloads.
  • Measure and compare the response times for existing versus non-existing email addresses.
  • Example command: curl -X POST https://your-openwebui-instance/api/v1/auths/signin -d '{"email":"[email protected]","password":"any"}' -w "%{time_total}\n" -o /dev/null -s

By automating such requests and analyzing timing differences, you can detect if the vulnerable behavior is present.

Mitigation Strategies

The immediate mitigation step is to upgrade Open WebUI to version 0.10.0 or later, where this vulnerability is fixed.

The fix involves running bcrypt password verification against a constant placeholder hash for all login attempts, eliminating timing differences that allow account enumeration.

If upgrading immediately is not possible, consider implementing network-level protections such as rate limiting and monitoring unusual login attempts to reduce the risk of exploitation.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-59218. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart