mirror of
https://github.com/open-webui/open-webui.git
synced 2026-07-17 08:21:12 -05:00
[PR #23633] [MERGED] fix: reject empty passwords in LDAP authentication to prevent unauthenticated binds #66146
Reference in New Issue
Block a user
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
📋 Pull Request Information
Original PR: https://github.com/open-webui/open-webui/pull/23633
Author: @Classic298
Created: 4/12/2026
Status: ✅ Merged
Merged: 4/12/2026
Merged by: @tjbck
Base:
dev← Head:fix/ldap-empty-password-bypass📝 Commits (1)
0dbb60bfix: reject empty passwords in LDAP authentication to prevent unauthenticated binds📊 Changes
1 file changed (+8 additions, -0 deletions)
View changed files
📝
backend/open_webui/routers/auths.py(+8 -0)📄 Description
Per RFC 4513, a Simple Bind with a non-empty DN but empty password is unauthenticated simple authentication. Many LDAP servers (OpenLDAP default, some AD configs) accept these binds, allowing account takeover without valid credentials.
Rejects empty and whitespace-only passwords before attempting the LDAP bind.
Contributor License Agreement
🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.