[PR #21630] [CLOSED] fix: race condition in signup allows multiple admin accounts #41800

New Issue

Closed

opened 2026-04-25 13:55:53 -05:00 by GiteaMirror · 0 comments

GiteaMirror commented 2026-04-25 13:55:53 -05:00

Owner

Copy Link

📋 Pull Request Information

Original PR: https://github.com/open-webui/open-webui/pull/21630
Author: @theeggorchicken
Created: 2/20/2026
Status: ❌ Closed

Base: main ← Head: fix/signup-race-condition

---

📝 Commits (1)

• 9f837b0 fix: race condition in signup allows multiple admin accounts

📊 Changes

1 file changed (+11 additions, -7 deletions)

View changed files

📝 backend/open_webui/routers/auths.py (+11 -7)

📄 Description

Security Fix: TOCTOU Race in Signup Allows Multiple Admin Registrations

Vulnerable Lines

File: backend/open_webui/routers/auths.py#L703-L709

has_users = Users.has_users(db=db)                    # CHECK
role = "admin" if not has_users else ...               # DECIDE  
hashed = get_password_hash(password)                   # bcrypt ~100ms window
user = Auths.insert_new_auth(..., role=role, db=db)   # USE (stale check)

What could happen

On a fresh Open WebUI deployment with multiple uvicorn workers, an attacker can send concurrent signup requests during first-user registration. Each worker's has_users() check returns False before any insert completes, so multiple accounts receive the admin role. I tested this with 4 workers and 30 concurrent requests — 4 accounts got admin. Each had full admin privileges: listing users, reading config, managing the instance.

How to verify

1. Start Open WebUI with UVICORN_WORKERS=4 and ENABLE_SIGNUP=true
2. On a fresh instance (no existing users), fire 20+ concurrent POST requests to /api/v1/auths/signup with different email addresses
3. Check how many responses contain "role": "admin" — without this fix, multiple will

Full HTTP traces and race condition results: evidence gist

What this PR does

Eliminates the TOCTOU (time-of-check-to-time-of-use) race window in signup_handler by reversing the order of operations:

1. Before (vulnerable): Check has_users() → decide role → hash password (~100ms) → insert with pre-decided role
2. After (fixed): Hash password → insert with default role → check get_num_users() after insert → promote to admin only if user count is exactly 1

The key insight is that get_num_users() after the insert is a point-in-time read that includes the just-inserted row. If two concurrent requests both insert, both will see count >= 2, so neither gets promoted. Only the truly first user (count == 1) becomes admin.

The fix also moves the ENABLE_SIGNUP = False guard into the same conditional block, so signup is disabled atomically with the admin promotion.

Evidence

https://gist.github.com/theeggorchicken/455f6c46ea73bd96396400a679c3c207

---

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/open-webui/open-webui/pull/21630 **Author:** [@theeggorchicken](https://github.com/theeggorchicken) **Created:** 2/20/2026 **Status:** ❌ Closed **Base:** `main` ← **Head:** `fix/signup-race-condition` --- ### 📝 Commits (1) - [`9f837b0`](https://github.com/open-webui/open-webui/commit/9f837b0e7b019562d4de9d2952fd752acb11b056) fix: race condition in signup allows multiple admin accounts ### 📊 Changes **1 file changed** (+11 additions, -7 deletions) <details> <summary>View changed files</summary> 📝 `backend/open_webui/routers/auths.py` (+11 -7) </details> ### 📄 Description ## Security Fix: TOCTOU Race in Signup Allows Multiple Admin Registrations ### Vulnerable Lines **File:** [`backend/open_webui/routers/auths.py#L703-L709`](https://github.com/open-webui/open-webui/blob/main/backend/open_webui/routers/auths.py#L703-L709) ```python has_users = Users.has_users(db=db) # CHECK role = "admin" if not has_users else ... # DECIDE hashed = get_password_hash(password) # bcrypt ~100ms window user = Auths.insert_new_auth(..., role=role, db=db) # USE (stale check) ``` ### What could happen On a fresh Open WebUI deployment with multiple uvicorn workers, an attacker can send concurrent signup requests during first-user registration. Each worker's `has_users()` check returns False before any insert completes, so multiple accounts receive the admin role. I tested this with 4 workers and 30 concurrent requests — 4 accounts got admin. Each had full admin privileges: listing users, reading config, managing the instance. ### How to verify 1. Start Open WebUI with `UVICORN_WORKERS=4` and `ENABLE_SIGNUP=true` 2. On a fresh instance (no existing users), fire 20+ concurrent POST requests to `/api/v1/auths/signup` with different email addresses 3. Check how many responses contain `"role": "admin"` — without this fix, multiple will Full HTTP traces and race condition results: [evidence gist](https://gist.github.com/theeggorchicken/455f6c46ea73bd96396400a679c3c207) ### What this PR does Eliminates the TOCTOU (time-of-check-to-time-of-use) race window in `signup_handler` by reversing the order of operations: 1. **Before (vulnerable):** Check `has_users()` → decide role → hash password (~100ms) → insert with pre-decided role 2. **After (fixed):** Hash password → insert with default role → check `get_num_users()` after insert → promote to admin only if user count is exactly 1 The key insight is that `get_num_users()` after the insert is a point-in-time read that includes the just-inserted row. If two concurrent requests both insert, both will see count >= 2, so neither gets promoted. Only the truly first user (count == 1) becomes admin. The fix also moves the `ENABLE_SIGNUP = False` guard into the same conditional block, so signup is disabled atomically with the admin promotion. ### Evidence https://gist.github.com/theeggorchicken/455f6c46ea73bd96396400a679c3c207 --- _{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

GiteaMirror added the pull-request label 2026-04-25 13:55:53 -05:00

GiteaMirror closed this issue 2026-04-25 13:55:53 -05:00

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

dev

v0.9.2

v0.9.1

v0.9.0

v0.8.12

v0.8.11

v0.8.10

v0.8.9

v0.8.8

v0.8.7

v0.8.6

v0.8.5

v0.8.4

v0.8.3

v0.8.2

v0.8.1

v0.8.0

v0.7.2

v0.7.1

v0.7.0

v0.6.43

v0.6.42

v0.6.41

v0.6.40

v0.6.39

v0.6.38

v0.6.37

v0.6.36

v0.6.35

v0.6.34

v0.6.33

v0.6.32

v0.6.31

v0.6.30

v0.6.29

v0.6.28

v0.6.27

v0.6.26

v0.6.25

v0.6.24

v0.6.23

v0.6.22

v0.6.21

v0.6.20

v0.6.19

v0.6.18

v0.6.17

v0.6.16

v0.6.15

v0.6.14

v0.6.13

v0.6.12

v0.6.11

v0.6.10

v0.6.9

v0.6.8

v0.6.7

v0.6.6

v0.6.5

v0.6.4

v0.6.3

v0.6.2

v0.6.1

v0.6.0

v0.5.20

v0.5.19

v0.5.18

v0.5.17

v0.5.16

v0.5.15

v0.5.14

v0.5.13

v0.5.12

v0.5.11

v0.5.10

v0.5.9

v0.5.8

v0.5.7

v0.5.6

v0.5.5

v0.5.4

v0.5.3

v0.5.2

v0.5.1

v0.5.0

v0.4.8

v0.4.7

v0.4.6

v0.4.5

v0.4.4

v0.4.3

v0.4.2

v0.4.1

v0.4.0

v0.3.35

v0.3.34

v0.3.33

v0.3.32

v0.3.31

v0.3.30

v0.3.29

v0.3.28

v0.3.27

v0.3.26

v0.3.25

v0.3.24

v0.3.23

v0.3.22

v0.3.21

v0.3.20

v0.3.19

v0.3.18

v0.3.17

v0.3.16

v0.3.15

v0.3.14

v0.3.13

v0.3.12

v0.3.11

v0.3.10

v0.3.9

v0.3.8

v0.3.7

v0.3.6

v0.3.5

v0.3.4

v0.3.3

v0.3.2

v0.3.1

v0.3.0

v0.2.5

v0.2.4

v0.2.3

v0.2.2

v0.2.1

v0.2.0

v0.1.125

v0.1.124

v0.1.123

v0.1.122

v0.1.121

v0.1.120

v0.1.119

v0.1.118

v0.1.117

v0.1.116

v0.1.115

v0.1.114

v0.1.113

v0.1.112

v0.1.111

v0.1.110

v0.1.109

v0.1.108

v0.1.107

v0.1.106

v0.1.105

v0.1.104

v0.1.103

v0.1.102

Labels

Clear labels

bug

confirmed

confirmed issue

core

documentation

enhancement

good first issue

help wanted

non-core

pull-request

Mirrored from GitHub Pull Request

python

question

testing wanted

No Label pull-request

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

GiteaMirror ninjasurge

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/open-webui#41800