github-starred/open-webui
2
0
Fork 0
mirror of https://github.com/open-webui/open-webui.git synced 2026-05-08 04:16:03 -05:00
Code Issues 1.3k Packages Projects Releases 126 Wiki Activity

[GH-ISSUE #22958] issue: Password Complexity Rule Not Enforced on Password Change #35381

New Issue
Closed
opened 2026-04-25 09:35:40 -05:00 by GiteaMirror · 1 comment
GiteaMirror commented 2026-04-25 09:35:40 -05:00
Owner
Copy Link

Originally created by @Mogelmose on GitHub (Mar 23, 2026).
Original GitHub issue: https://github.com/open-webui/open-webui/issues/22958

Check Existing Issues

  • I have searched for any existing and/or related issues.
  • I have searched for any existing and/or related discussions.
  • I have also searched in the CLOSED issues AND CLOSED discussions and found no related items (your issue might already be addressed on the development branch!).
  • I am using the latest version of Open WebUI.

Installation Method

Docker

Open WebUI Version

0.8.10

Ollama Version (if applicable)

0.17.7

Operating System

openSUSE Tumbleweed

Browser (if applicable)

Brave v1.88.134

Confirmation

  • I have read and followed all instructions in README.md.
  • I am using the latest version of both Open WebUI and Ollama.
  • I have included the browser console logs.
  • I have included the Docker container logs.
  • I have provided every relevant configuration, setting, and environment variable used in my setup.
  • I have clearly listed every relevant configuration, custom setting, environment variable, and command-line option that influences my setup (such as Docker Compose overrides, .env values, browser settings, authentication configurations, etc).
  • I have documented step-by-step reproduction instructions that are precise, sequential, and leave nothing to interpretation. My steps:
  • Start with the initial platform/version/OS and dependencies used,
  • Specify exact install/launch/configure commands,
  • List URLs visited, user input (incl. example values/emails/passwords if needed),
  • Describe all options and toggles enabled or changed,
  • Include any files or environmental changes,
  • Identify the expected and actual result at each stage,
  • Ensure any reasonably skilled user can follow and hit the same issue.

Expected Behavior

The new password should be validated against the configured `PASSWORD_VALIDATION_REGEX_PATTERN environment variable and rejected if it does not meet the complexity requirements.

Actual Behavior

validate_password() is called with form_data.password (the current/old password) instead of form_data.new_password. Since the old password already met the rule when it was set, the check always passes.

Steps to Reproduce

  1. Configure a password complexity rule via environment variable VALIDATE_PASSWORD_REGEX_PATTERN
  2. Sign in with a valid account
  3. Change your password to one that does not meet the complexity rule
  4. The change succeeds without error

Logs & Screenshots

Environment variables regarding password validation i have set
PASSWORD_VALIDATION_REGEX_PATTERN=^.{15,}$
ENABLE_PASSWORD_VALIDATION=true

Additional Information

Location
backend/open_webui/routers/auths.pyupdate_password handler

In UpdatePasswordForm, there are two fields — password (current) and new_password (new). The validate_password call incorrectly references the former.
For comparison, the signup and add_user handlers use a single-field form where form_data.password correctly refers to the new password being set — so those endpoints are unaffected.

Originally created by @Mogelmose on GitHub (Mar 23, 2026). Original GitHub issue: https://github.com/open-webui/open-webui/issues/22958 ### Check Existing Issues - [x] I have searched for any existing and/or related issues. - [x] I have searched for any existing and/or related discussions. - [x] I have also searched in the CLOSED issues AND CLOSED discussions and found no related items (your issue might already be addressed on the development branch!). - [x] I am using the latest version of Open WebUI. ### Installation Method Docker ### Open WebUI Version 0.8.10 ### Ollama Version (if applicable) 0.17.7 ### Operating System openSUSE Tumbleweed ### Browser (if applicable) Brave v1.88.134 ### Confirmation - [x] I have read and followed all instructions in `README.md`. - [x] I am using the latest version of **both** Open WebUI and Ollama. - [x] I have included the browser console logs. - [x] I have included the Docker container logs. - [x] I have **provided every relevant configuration, setting, and environment variable used in my setup.** - [x] I have clearly **listed every relevant configuration, custom setting, environment variable, and command-line option that influences my setup** (such as Docker Compose overrides, .env values, browser settings, authentication configurations, etc). - [x] I have documented **step-by-step reproduction instructions that are precise, sequential, and leave nothing to interpretation**. My steps: - Start with the initial platform/version/OS and dependencies used, - Specify exact install/launch/configure commands, - List URLs visited, user input (incl. example values/emails/passwords if needed), - Describe all options and toggles enabled or changed, - Include any files or environmental changes, - Identify the expected and actual result at each stage, - Ensure any reasonably skilled user can follow and hit the same issue. ### Expected Behavior The new password should be validated against the configured `PASSWORD_VALIDATION_REGEX_PATTERN environment variable and rejected if it does not meet the complexity requirements. ### Actual Behavior `validate_password()` is called with `form_data.password` (the current/old password) instead of `form_data.new_password`. Since the old password already met the rule when it was set, the check always passes. ### Steps to Reproduce 1. Configure a password complexity rule via environment variable VALIDATE_PASSWORD_REGEX_PATTERN 2. Sign in with a valid account 3. Change your password to one that does not meet the complexity rule 4. The change succeeds without error ### Logs & Screenshots Environment variables regarding password validation i have set PASSWORD_VALIDATION_REGEX_PATTERN=^.{15,}$ ENABLE_PASSWORD_VALIDATION=true ### Additional Information **Location** `backend/open_webui/routers/auths.py` — `update_password` handler In `UpdatePasswordForm`, there are two fields — `password` (current) and `new_password` (new). The `validate_password` call incorrectly references the former. For comparison, the `signup` and `add_user` handlers use a single-field form where `form_data.password` correctly refers to the new password being set — so those endpoints are unaffected.
GiteaMirror added the bug label 2026-04-25 09:35:40 -05:00
GiteaMirror commented 2026-04-25 09:35:42 -05:00
Author
Owner
Copy Link

@tjbck commented on GitHub (Mar 24, 2026):

Addressed in dev.

<!-- gh-comment-id:4116880345 --> @tjbck commented on GitHub (Mar 24, 2026): Addressed in dev.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
bug
confirmed
confirmed issue
core
documentation
enhancement
good first issue
help wanted
non-core
pull-request
Mirrored from GitHub Pull Request
 python
question
testing wanted
No Label bug
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/open-webui#35381
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?