Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-accessible proxy requires authenticated API key (PR:L); no confidentiality impact since keys are not exposed, only blocked or budget-modified.
Primary rating from Vendor (VulDB).
CVSS VectorVendor: VulDB
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
A vulnerability was determined in BerriAI litellm up to 1.63.1. The impacted element is an unknown function of the file litellm/proxy/management_endpoints/key_management_endpoints.py of the component Admin Key Handler. This manipulation causes improper authorization. The attack can be initiated remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure.
AnalysisAI
Improper authorization in BerriAI LiteLLM versions 1.63.0-1.63.1 allows any authenticated user - holding any valid API key regardless of role - to perform admin-restricted operations on other users' API keys, including blocking, unblocking, and modifying budget limits via the /key/block, /key/unblock, and /key/update endpoints. The root cause, confirmed by GitHub PR #23781, is the complete absence of access-control enforcement on these endpoints despite their admin-only documentation. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires a valid authenticated LiteLLM API key with at minimum standard user privileges - the CVSS 4.0 vector confirms PR:L (low-privilege authentication required). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The official CVSS 4.0 score of 2.1 significantly underrepresents real-world operational risk for multi-tenant LiteLLM deployments. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An authenticated LiteLLM user holding any standard (non-admin) API key identifies the hashed token of a target user's key - obtainable through normal API responses or shared deployment artifacts - and sends a crafted POST request to `/key/block` with the target token. Because the authorization check was absent in versions 1.63.0-1.63.1, the request succeeds and the target key is immediately blocked, denying that user API access. … |
| Remediation | The upstream fix is available as GitHub PR #23781 (https://github.com/BerriAI/litellm/pull/23781), which adds the `_check_key_admin_access()` authorization guard to the `/key/block`, `/key/unblock`, and `/key/update` (max_budget) endpoints. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
SQL injection in LiteLLM proxy server versions 1.81.16 through 1.83.6 allows unauthenticated remote attackers to read an
Remote command execution in LiteLLM proxy server versions 1.74.2 through 1.83.6 allows any authenticated user to execute
BerriAI/litellm is vulnerable to Server-Side Template Injection (SSTI) via the `/completions` endpoint. Rated critical s
Remote code execution in BerriAI LiteLLM (all versions through 2026-04-08) enables authenticated attackers to execute ar
BerriAI's litellm, in its latest version, is vulnerable to arbitrary file deletion due to improper input validation on t
In berriai/litellm version v1.52.1, an issue in proxy_server.py causes the leakage of Langfuse API keys when an error oc
In berriai/litellm before version 1.44.12, the `litellm/litellm_core_utils/litellm_logging.py` file contains a vulnerabi
A Server-Side Request Forgery (SSRF) vulnerability exists in berriai/litellm version 1.38.10. Rated high severity (CVSS
An SQL Injection vulnerability exists in the berriai/litellm repository, specifically within the `/global/spend/logs` en
A code injection vulnerability exists in the berriai/litellm application, version 1.34.6, due to the use of unvalidated
berriai/litellm version 1.34.34 is vulnerable to improper access control in its team management functionality. Rated med
BerriAI/litellm version v1.35.8 contains a vulnerability where an attacker can achieve remote code execution. Rated crit
Same weakness CWE-285 – Improper Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38136
GHSA-6qr3-3g89-m4jj