You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{"key_alias":null,"duration":null,"models":[],"spend":0.0,"max_budget":null,"user_id":"[email protected]","team_id":null,"max_parallel_requests":null,"metadata":{},"tpm_limit":null,"rpm_limit":null,"budget_duration":null,"allowed_cache_controls":[],"soft_budget":null,"config":{},"permissions":{},"model_max_budget":{},"send_invite_email":null,"model_rpm_limit":null,"model_tpm_limit":null,"guardrails":null,"blocked":null,"aliases":{},"key":"<Second New Key>","key_name":"sk-...tSXg","expires":null,"token_id":"78ccab11279deabc5c7f8e0dd2d5faeae69a8e78938fce93e044710794976918"}
Unless I'm misunderstanding something here, this seems like a major security bug
Relevant log output
No response
Are you a ML Ops Team?
No
What LiteLLM version are you on ?
v1.55.0
Twitter / LinkedIn details
No response
The text was updated successfully, but these errors were encountered:
mirodrr2
changed the title
[Bug]: Non Admin Users able to generate keys using other user's user_id
[Bug]: Non Admin Users able to generate keys using other user's user_id (Vulnerability)
Dec 21, 2024
I am now pretty convinced this is a bug, because there is a check to make sure a non-admin user cannot delete another user's api keys, but there is not a similar check to make sure a user cannot create an api key using another user's user_id
What happened?
It seems like non admin users are able to generate keys using other user's
user_id
.The following works:
Request
Response
And now we use that key to try to create a key for a different
user_id
Request
Response
Unless I'm misunderstanding something here, this seems like a major security bug
Relevant log output
No response
Are you a ML Ops Team?
No
What LiteLLM version are you on ?
v1.55.0
Twitter / LinkedIn details
No response
The text was updated successfully, but these errors were encountered: