CVE-2026-12770
Received Received - Intake
Improper Authorization in BerriAI LiteLLM Admin Key Handler

Publication date: 2026-06-21

Last updated on: 2026-06-21

Assigner: VulDB

Description
A vulnerability was determined in BerriAI litellm up to 1.63.1. The impacted element is an unknown function of the file litellm/proxy/management_endpoints/key_management_endpoints.py of the component Admin Key Handler. This manipulation causes improper authorization. The attack can be initiated remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-21
Last Modified
2026-06-21
Generated
2026-06-21
AI Q&A
2026-06-21
EPSS Evaluated
N/A
NVD
CVE-2026-12770
EUVD
EUVD-2026-38136
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
berriai litellm to 1.63.1 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-285 The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.
CWE-266 A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in LiteLLM's key management endpoints, specifically in the functions that handle blocking and unblocking API keys. It allows any user with the internal_user role to block or unblock any API key, including administrative keys, due to insufficient ownership or role-based access controls.

This improper authorization flaw means that low-privileged users can manipulate critical API keys they should not have control over.

Impact Analysis

The vulnerability can be exploited remotely by low-privileged users to perform Denial of Service (DoS) attacks by disabling critical API keys.

Additionally, attackers can bypass security controls by unblocking malicious keys, potentially leading to unauthorized access or disruption of services.

Detection Guidance

This vulnerability involves improper authorization in LiteLLM's key management endpoints (/key/block and /key/unblock), allowing users with the internal_user role to block or unblock API keys improperly.

To detect exploitation attempts on your system or network, you should monitor access logs for unusual or unauthorized requests to the /key/block and /key/unblock endpoints, especially those initiated by users with the internal_user role.

Commands to help detect this may include:

  • Using grep or similar tools to search server logs for access to /key/block or /key/unblock endpoints, e.g., `grep "/key/block" /var/log/litellm/access.log`
  • Checking for unusual API key status changes or audit logs indicating key blocking/unblocking actions.
  • Reviewing user roles and permissions to identify if any internal_user role accounts are performing unexpected actions.
Mitigation Strategies

Immediate mitigation steps include restricting access to the key management endpoints (/key/block and /key/unblock) to only trusted and properly authorized users.

Review and tighten role-based access controls to ensure that users with the internal_user role cannot block or unblock API keys unless explicitly authorized.

Monitor and audit all key management activities to detect and respond to any unauthorized actions promptly.

If possible, update LiteLLM to a version later than 1.63.1 where this vulnerability is addressed.

Compliance Impact

The vulnerability in BerriAI litellm's key management endpoints allows low-privileged users to block or unblock API keys, including administrative keys, due to improper authorization. This can lead to denial of service attacks or bypassing security controls.

Such improper authorization and potential security control bypasses can undermine the integrity and availability of systems, which are critical aspects of compliance with standards like GDPR and HIPAA that require strict access controls and protection of sensitive data.

Therefore, this vulnerability could negatively impact compliance with these regulations by exposing systems to unauthorized actions and potential data protection failures.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-12770. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart