BerriAI litellm Admin Key key_management_endpoints.py improper authorization
Description
A vulnerability was determined in BerriAI litellm up to 1.63.1. The impacted element is an unknown function of the file litellm/proxy/management_endpoints/key_management_endpoints.py of the component Admin Key Handler. This manipulation causes improper authorization. The attack can be initiated remotely. The exploit has been publicly disclosed and may be utilized. Patch name: 23781. It is recommended to apply a patch to fix this issue. The vendor was contacted early about this disclosure.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
1Patches
Vulnerability mechanics
Root cause
"Missing ownership and role-based access control checks in the /key/block and /key/unblock endpoints allow any internal_user to block or unblock arbitrary keys."
Attack vector
An attacker with a valid `internal_user` API key can call the `/key/block` or `/key/unblock` endpoints against any key in the system, including administrative (`proxy_admin`) keys. Because the endpoint logic only checks that the caller has the `internal_user` role (via middleware) and does not verify ownership or require a higher privilege level, the attacker can block or unblock arbitrary keys remotely. This constitutes a privilege escalation and can be used to cause a denial of service against administrative or production keys. [CWE-285]
Affected code
The vulnerability resides in `litellm/proxy/management_endpoints/key_management_endpoints.py`, specifically in the `block_key` and `unblock_key` functions. The admin key handler fails to enforce ownership or role-based (e.g., `proxy_admin`) access controls on the target key being operated on.
What the fix does
The patch (named 23781) is not included in the bundle, so the exact diff is unavailable. Based on the advisory [ref_id=2], the fix must add ownership verification or a `proxy_admin` role check inside the `block_key` and `unblock_key` endpoint implementations, ensuring that a caller cannot modify a key they do not own unless they hold the administrative role. Without this change, any `internal_user` can arbitrarily block or unblock any key in the system.
Preconditions
- authAttacker must possess a valid internal_user API key for the LiteLLM proxy
- configThe target LiteLLM instance must have the /key/block and /key/unblock endpoints exposed
- networkThe attack is performed over the network against the proxy server
Generated on Jun 21, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/BerriAI/litellm/pull/23781mitreissue-trackingpatch
- gist.github.com/YLChen-007/993c68152b2c770d53590f1684c755d4mitreexploit
- vuldb.com/cve/CVE-2026-12770mitrethird-party-advisory
- vuldb.com/submit/811279mitrethird-party-advisory
- vuldb.com/vuln/372512mitrevdb-entry
- vuldb.com/vuln/372512/ctimitresignaturepermissions-required
News mentions
0No linked articles in our index yet.