Executive Summary

CVE-2026-12796 is an insecure session management vulnerability in LiteLLM's Single Sign-On (SSO) authentication flow. When a user logs in via SSO, the system generates a new UI session token but does not invalidate previously issued tokens for the same user. This means that any old tokens remain valid until they expire, allowing attackers who obtain these tokens to maintain persistent unauthorized access to the victim's account, even after the victim re-authenticates.

The root cause is in the function get_redirect_response_from_openid in the file litellm/proxy/management_endpoints/ui_sso.py, which creates new tokens without cleaning up old ones. This leads to an accumulation of valid tokens and prevents users from revoking compromised tokens through normal SSO re-authentication.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can allow attackers to maintain persistent unauthorized access to user accounts by using old session tokens that remain valid. Even if the legitimate user re-authenticates, the attacker can continue to access the account without interruption.

Additionally, the accumulation of valid tokens can lead to potential database resource exhaustion, which may degrade system performance or availability.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves the accumulation of valid UI session tokens that are not invalidated upon re-authentication in the SSO flow of LiteLLM. Detection can focus on identifying multiple active session tokens for the same user that should have been invalidated.

You can monitor your system for unusually high numbers of active session tokens per user or check logs for repeated token issuance without corresponding invalidation.

Specific commands depend on your deployment and logging setup, but examples include querying your session token store or database for multiple valid tokens per user.

• Use database queries to count active tokens per user, e.g., SQL: SELECT user_id, COUNT(token) FROM sessions WHERE valid = TRUE GROUP BY user_id HAVING COUNT(token) > 1;
• Check application logs for repeated calls to get_redirect_response_from_openid without token invalidation.
• Monitor network traffic for multiple valid session tokens being used from the same user account.

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate this vulnerability, you should immediately implement measures to invalidate previously issued session tokens upon new SSO authentication.

Since the vulnerability allows persistent unauthorized access through old tokens, revoking or expiring all existing tokens for a user upon re-authentication is critical.

If a patch or update from the vendor is available, apply it as soon as possible.

• Force logout of all active sessions for users after SSO re-authentication.
• Implement token expiration policies to limit token lifetime to less than the default 24 hours.
• Monitor and audit session token usage to detect suspicious activity.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability allows attackers to maintain persistent unauthorized access to user accounts by exploiting insecure session management in the SSO authentication flow. Such unauthorized access can lead to exposure of personal or sensitive data.

Persistent unauthorized access and inability to revoke compromised tokens may result in violations of data protection requirements under regulations like GDPR and HIPAA, which mandate strict controls over user authentication, session management, and protection of personal data.

Therefore, this vulnerability could negatively impact compliance with these standards by undermining the confidentiality and integrity of user sessions and data.

Useful 0 Not Useful 0