BerriAI litellm SSO Debug Flow ui_sso.py json.dumps missing authentication
Description
A vulnerability was determined in BerriAI litellm up to 1.82.2. This affects the function json.dumps of the file litellm/proxy/management_endpoints/ui_sso.py of the component SSO Debug Flow. Executing a manipulation can lead to missing authentication. The attack can be executed remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2Patches
Vulnerability mechanics
Root cause
"Missing authentication on SSO debug endpoints allows unauthenticated access to OAuth user data and raw tokens, with unsafe HTML injection via json.dumps()."
Attack vector
An unauthenticated attacker can reach `/sso/debug/login` (which redirects to the SSO provider) and then `/sso/debug/callback` to receive the OAuth user profile rendered in HTML [ref_id=1]. For Google/Microsoft SSO, raw `access_token` and `id_token` are also leaked, enabling token theft and impersonation against the identity provider [ref_id=1]. Additionally, because `json.dumps()` does not escape `<`, `>`, or `/`, an attacker who controls an IdP profile field (e.g., display name) can inject a `</script>` sequence and execute arbitrary JavaScript in the browser of anyone viewing the debug page, creating a reflected XSS vector [CWE-79] [ref_id=1].
Affected code
The vulnerability resides in `litellm/proxy/management_endpoints/ui_sso.py`. The `/sso/debug/login` endpoint (line 3505) lacks the `Depends(user_api_key_auth)` dependency and only checks an enterprise license flag, while `/sso/debug/callback` (line 3555) has no authentication at all. The callback also passes `return_raw_sso_response=True` to Google and Microsoft SSO handlers (lines 3600–3611), bypassing the credential-filter allowlist, and injects OAuth data into a `<script>` block via `json.dumps()` without HTML escaping (lines 3650–3652).
What the fix does
The advisory does not include a published patch, but it identifies the root causes: the debug endpoints must require `Depends(user_api_key_auth)` to enforce authentication, the `return_raw_sso_response=True` flag should be removed or the `_OAUTH_TOKEN_FIELDS` allowlist applied, and the `json.dumps()` output must be HTML-escaped before being placed into the `<script>` block [ref_id=1]. Until a fix is released, the vendor recommends removing or disabling the SSO debug endpoints in production.
Preconditions
- configLiteLLM Enterprise instance with any SSO provider configured
- authNo authentication required — attacker does not need an API key or session token
- networkNetwork access to the LiteLLM proxy (e.g., http://localhost:4000)
Reproduction
1. Verify unauthenticated access: `curl -s -o /dev/null -w "%{http_code}" http://localhost:4000/sso/debug/login` — expects 303 (not 401/403). 2. Verify unauthenticated callback: `curl -s -o /dev/null -w "%{http_code}" http://localhost:4000/sso/debug/callback` — expects 400 (not 401/403). 3. Complete the SSO debug flow by navigating to `http://localhost:4000/sso/debug/login` in a browser, authenticating with the SSO provider, and observing the rendered OAuth data including tokens for Google/Microsoft providers [ref_id=1].
Generated on Jun 22, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- gist.github.com/YLChen-007/9b13c75a3a73187a4082cc6df0b100d3mitreexploit
- vuldb.com/cve/CVE-2026-12795mitrethird-party-advisory
- vuldb.com/submit/811286mitrethird-party-advisory
- vuldb.com/vuln/372557mitrevdb-entrytechnical-description
- vuldb.com/vuln/372557/ctimitresignaturepermissions-required
News mentions
0No linked articles in our index yet.