BerriAI litellm Incomplete Fix CVE-2025-0628 internal_user_endpoints.py ui_view_users improper authorization
Description
A security vulnerability has been detected in BerriAI litellm up to 1.82.2. Affected by this issue is the function ui_view_users of the file litellm/proxy/management_endpoints/internal_user_endpoints.py of the component Incomplete Fix CVE-2025-0628. Such manipulation leads to improper authorization. It is possible to launch the attack remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2Patches
Vulnerability mechanics
Root cause
"The `/user/filter/ui` endpoint is improperly registered in the `info_routes` whitelist, causing the routing middleware to skip RBAC enforcement, and the handler lacks an internal authorization check to restrict access to admin users."
Attack vector
An attacker with any valid low-privilege API key (e.g., role `internal_user_viewer`) sends a GET request to `/user/filter/ui`. Because the endpoint is registered in the `info_routes` whitelist, the global routing middleware bypasses standard RBAC enforcement, and the handler itself does not verify that the caller has admin-level privileges. This allows the attacker to enumerate every user's `user_id` and `user_email` across all tenants, including administrators [ref_id=1].
Affected code
The vulnerability is in the file `litellm/proxy/_types.py` where the endpoint `/user/filter/ui` is included in the `info_routes` whitelist, in `litellm/proxy/auth/route_checks.py` where the middleware `non_proxy_admin_allowed_routes_check` skips RBAC enforcement for whitelisted routes, and in `litellm/proxy/management_endpoints/internal_user_endpoints.py` where the handler `ui_view_users` lacks internal authorization checks [ref_id=1].
What the fix does
No patch is included in the bundle. The advisory states that no patched versions have been released [ref_id=1]. To remediate, the `/user/filter/ui` endpoint must be removed from the `info_routes` whitelist in `litellm/proxy/_types.py`, and the `ui_view_users` handler must enforce a proper RBAC check (e.g., `_user_has_admin_view`) before returning the list of users [ref_id=1].
Preconditions
- authThe attacker must have a valid, low-privilege API key (e.g., role internal_user_viewer).
- configThe LiteLLM instance must be running with a PostgreSQL backend to return user data.
- networkThe /user/filter/ui endpoint must be reachable over the network.
Reproduction
1. Obtain a low-privilege API key (e.g., role internal_user_viewer). 2. Issue a GET request to `/user/filter/ui` with the key: `curl -s -X GET "http://localhost:4000/user/filter/ui" -H "Authorization: Bearer <LOW_PRIVILEGE_API_KEY>"`. [ref_id=1]
Generated on Jun 22, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- gist.github.com/YLChen-007/3ace22e33e468d0166fe609c9fdf4184mitreexploit
- vuldb.com/cve/CVE-2026-12799mitrethird-party-advisory
- vuldb.com/submit/811291mitrethird-party-advisory
- vuldb.com/vuln/372561mitrevdb-entrytechnical-description
- vuldb.com/vuln/372561/ctimitresignaturepermissions-required
News mentions
0No linked articles in our index yet.