Submit #811291: litellm <= 1.82.2 Exposure of Sensitive Information to an Unauthorized Actor (CWE-200)info

Titel	litellm <= 1.82.2 Exposure of Sensitive Information to an Unauthorized Actor (CWE-200)
Beschreibung	# Technical Details An Information Disclosure vulnerability exists in the `ui_view_users` method in `litellm/proxy/management_endpoints/internal_user_endpoints.py` of litellm. The fix for the previous `CVE-2025-0628` improperly registers `/user/filter/ui` inside the `info_routes` mapping namespace in `litellm/proxy/_types.py`. This bypasses strict administrative role evaluation and relies solely on the internal API structure correctly mapping its identity logic, which fails to securely handle the request without asserting ownership. # Vulnerable Code File: `litellm/proxy/management_endpoints/internal_user_endpoints.py` Method: `ui_view_users` Why: Because `/user/filter/ui` runs through the lenient checks of `non_proxy_admin_allowed_routes_check` assigned via the mapped namespace, it bypasses top-level Proxy Admin enforcement completely. Once passed down to the DB handler, there are no filters ensuring the targeted data mapping remains scoped exclusively to the internal role query token—leading to a total unconstrained global dataset query across multi-tenant users. # Reproduction 1. Generate an enterprise role with minimal rights, explicitly restricted to `internal_user_viewer`. 2. Issue a simple HTTP GET pointing toward `/user/filter/ui`. (e.g., `curl -s -X GET "http://localhost:4000/user/filter/ui" -H "Authorization: Bearer <LOW_PRIV_KEY>"`). 3. Experience complete Database exposure detailing across all integrated tables regarding Super Admin arrays and cross-tenant User Identifiers alongside generic mapping fields. # Impact - System-Wide Exposure of administrative user IDs and critical tenant emails. - Targeted enumeration allows focused targeting of privilege pools leveraging exposed administrative UUID mappings, potentially tying into parallel IDOR weaknesses.
Quelle	⚠️ https://gist.github.com/YLChen-007/3ace22e33e468d0166fe609c9fdf4184
Benutzer	Eric-d (UID 96861)
Einreichung	23.04.2026 10:12 (vor 2 Monaten)
Moderieren	20.06.2026 19:12 (2 months later)
Status	Akzeptiert
VulDB Eintrag	372561 [BerriAI litellm bis 1.82.2 Incomplete Fix CVE-2025-0628 internal_user_endpoints.py ui_view_users erweiterte Rechte]
Punkte	20

◂ Zurück Übersicht Weiter ▸

Do you need the next level of professionalism?

Upgrade your account now!