[GH-ISSUE #12611] issue: Signins with passwords that are longer than 71 characters work even when they are trimmed to that length #32186

New Issue

Closed

opened 2026-04-25 06:04:25 -05:00 by GiteaMirror · 3 comments

GiteaMirror commented 2026-04-25 06:04:25 -05:00

Owner

Copy Link

Originally created by @mrakgr on GitHub (Apr 8, 2025).
Original GitHub issue: https://github.com/open-webui/open-webui/issues/12611

Check Existing Issues

• I have searched the existing issues and discussions.
• I am using the latest version of Open WebUI.

Installation Method

Docker

Open WebUI Version

0.6.2

Ollama Version (if applicable)

No response

Operating System

Windows 11

Browser (if applicable)

No response

Confirmation

• I have read and followed all instructions in README.md.
• I am using the latest version of both Open WebUI and Ollama.
• I have included the browser console logs.
• I have included the Docker container logs.
• I have listed steps to reproduce the bug in detail.

Expected Behavior

That only the original password would provide access to the account.

Actual Behavior

Any password which matches the first 71 characters of the password will be allowed.

Steps to Reproduce

Create an account with a large password, greater than 72 characters. Try logging in with the end of it trimmed.

Logs & Screenshots

When I execute the signin endpoint using the actual password, it works.

When I remove a few letters from the end of the password....

It also works. I have to remove quite a bit of the password before it triggers an error....

I'd consider this a major security vulnerability, but I am guessing most users will have passwords less than 72 characters long. Good thing I realized this before going forward with using the API keys as user passwords.

Additional Information

There's nothing interesting in the browser or the docker container logs, so I will skip those.

Originally created by @mrakgr on GitHub (Apr 8, 2025). Original GitHub issue: https://github.com/open-webui/open-webui/issues/12611 ### Check Existing Issues - [x] I have searched the existing issues and discussions. - [x] I am using the latest version of Open WebUI. ### Installation Method Docker ### Open WebUI Version 0.6.2 ### Ollama Version (if applicable) _No response_ ### Operating System Windows 11 ### Browser (if applicable) _No response_ ### Confirmation - [x] I have read and followed all instructions in `README.md`. - [x] I am using the latest version of **both** Open WebUI and Ollama. - [x] I have included the browser console logs. - [x] I have included the Docker container logs. - [x] I have listed steps to reproduce the bug in detail. ### Expected Behavior That only the original password would provide access to the account. ### Actual Behavior Any password which matches the first 71 characters of the password will be allowed. ### Steps to Reproduce Create an account with a large password, greater than 72 characters. Try logging in with the end of it trimmed. ### Logs & Screenshots When I execute the signin endpoint using the actual password, it works.   When I remove a few letters from the end of the password....   It also works. I have to remove quite a bit of the password before it triggers an error....     I'd consider this a major security vulnerability, but I am guessing most users will have passwords less than 72 characters long. Good thing I realized this before going forward with using the API keys as user passwords. ### Additional Information There's nothing interesting in the browser or the docker container logs, so I will skip those.

GiteaMirror added the bug label 2026-04-25 06:04:25 -05:00

GiteaMirror closed this issue 2026-04-25 06:04:27 -05:00

GiteaMirror commented 2026-04-25 06:04:29 -05:00

Author

Owner

Copy Link

@mrakgr commented on GitHub (Apr 8, 2025):

I'll change my approach and hash the email in order to derive the password instead.

<!-- gh-comment-id:2787009065 --> @mrakgr commented on GitHub (Apr 8, 2025): I'll change my approach and hash the email in order to derive the password instead.

GiteaMirror commented 2026-04-25 06:04:31 -05:00

Author

Owner

Copy Link

@tjbck commented on GitHub (Apr 8, 2025):

Bcrypt has a maximum input length of 72 bytes for the password (not characters, but bytes). Any bytes beyond that will be ignored silently.

<!-- gh-comment-id:2787499925 --> @tjbck commented on GitHub (Apr 8, 2025): Bcrypt has a maximum input length of 72 bytes for the password (not characters, but bytes). Any bytes beyond that will be ignored silently.

GiteaMirror commented 2026-04-25 06:04:31 -05:00

Author

Owner

Copy Link

@tjbck commented on GitHub (Apr 8, 2025):

60d11c1f6f

<!-- gh-comment-id:2787509258 --> @tjbck commented on GitHub (Apr 8, 2025): 60d11c1f6f2982209f89083c3e2a2c471587bdfb

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

dev

v0.9.2

v0.9.1

v0.9.0

v0.8.12

v0.8.11

v0.8.10

v0.8.9

v0.8.8

v0.8.7

v0.8.6

v0.8.5

v0.8.4

v0.8.3

v0.8.2

v0.8.1

v0.8.0

v0.7.2

v0.7.1

v0.7.0

v0.6.43

v0.6.42

v0.6.41

v0.6.40

v0.6.39

v0.6.38

v0.6.37

v0.6.36

v0.6.35

v0.6.34

v0.6.33

v0.6.32

v0.6.31

v0.6.30

v0.6.29

v0.6.28

v0.6.27

v0.6.26

v0.6.25

v0.6.24

v0.6.23

v0.6.22

v0.6.21

v0.6.20

v0.6.19

v0.6.18

v0.6.17

v0.6.16

v0.6.15

v0.6.14

v0.6.13

v0.6.12

v0.6.11

v0.6.10

v0.6.9

v0.6.8

v0.6.7

v0.6.6

v0.6.5

v0.6.4

v0.6.3

v0.6.2

v0.6.1

v0.6.0

v0.5.20

v0.5.19

v0.5.18

v0.5.17

v0.5.16

v0.5.15

v0.5.14

v0.5.13

v0.5.12

v0.5.11

v0.5.10

v0.5.9

v0.5.8

v0.5.7

v0.5.6

v0.5.5

v0.5.4

v0.5.3

v0.5.2

v0.5.1

v0.5.0

v0.4.8

v0.4.7

v0.4.6

v0.4.5

v0.4.4

v0.4.3

v0.4.2

v0.4.1

v0.4.0

v0.3.35

v0.3.34

v0.3.33

v0.3.32

v0.3.31

v0.3.30

v0.3.29

v0.3.28

v0.3.27

v0.3.26

v0.3.25

v0.3.24

v0.3.23

v0.3.22

v0.3.21

v0.3.20

v0.3.19

v0.3.18

v0.3.17

v0.3.16

v0.3.15

v0.3.14

v0.3.13

v0.3.12

v0.3.11

v0.3.10

v0.3.9

v0.3.8

v0.3.7

v0.3.6

v0.3.5

v0.3.4

v0.3.3

v0.3.2

v0.3.1

v0.3.0

v0.2.5

v0.2.4

v0.2.3

v0.2.2

v0.2.1

v0.2.0

v0.1.125

v0.1.124

v0.1.123

v0.1.122

v0.1.121

v0.1.120

v0.1.119

v0.1.118

v0.1.117

v0.1.116

v0.1.115

v0.1.114

v0.1.113

v0.1.112

v0.1.111

v0.1.110

v0.1.109

v0.1.108

v0.1.107

v0.1.106

v0.1.105

v0.1.104

v0.1.103

v0.1.102

Labels

Clear labels

bug

confirmed

confirmed issue

core

documentation

enhancement

good first issue

help wanted

non-core

pull-request

Mirrored from GitHub Pull Request

python

question

testing wanted

No Label bug

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

GiteaMirror ninjasurge

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/open-webui#32186