जमा करें #778265: Weights and Biases OpenUI <= 1.0 (commit f9d8f0e) Use of Hard-coded Credentials (CWE-798)जानकारी

शीर्षकWeights and Biases OpenUI <= 1.0 (commit f9d8f0e) Use of Hard-coded Credentials (CWE-798)
विवरण# Technical Details A Hardcoded LiteLLM Master Key vulnerability exists in `backend/openui/config.py` of Weights and Biases OpenUI. A missing Python f-string prefix when setting the LITELLM_MASTER_KEY environment variable results in the proxy being initialized with the literal hardcoded string "sk-{SESSION_KEY}" on every deployment instead of a dynamically generated key. When OpenUI runs with --litellm flag, the LiteLLM proxy binds to x.x.x.x:4000. Since the token is statically known, any network attacker can bypass all authentication by passing Authorization: Bearer sk-{SESSION_KEY}. # Vulnerable Code File: backend/openui/config.py (line 44) Method: Module-level initialization Why: Missing 'f' prefix: os.environ["LITELLM_MASTER_KEY"] = "sk-{SESSION_KEY}" should be f"sk-{SESSION_KEY}". A similar bug on line 41 was already fixed in commit e21c8d5 but line 44 was missed. # Reproduction 1. Run OpenUI with LiteLLM enabled. 2. Query the LiteLLM proxy: curl -i http://localhost:4000/v1/models -H "Authorization: Bearer sk-{SESSION_KEY}" 3. Returns HTTP 200 OK instead of 401 Unauthorized, confirming the static credential is accepted. # Impact - Financial abuse: Unlimited LLM requests via victim's API keys (OpenAI, Anthropic). - Authentication bypass: Full admin access to LiteLLM proxy without session cookies. - Information exposure: Enumerate internal LLM model configurations.
स्रोत⚠️ https://gist.github.com/YLChen-007/3bf37486022d4c57caec3a35cd79ac92
उपयोगकर्ता
 Eric-b (UID 96354)
सबमिशन12/03/2026 02:46 AM (4 महीनों पहले)
संयम27/03/2026 02:48 PM (16 days later)
स्थितिस्वीकृत
VulDB प्रविष्टि353880 [wandb OpenUI तक 0.0.0.0/1.0 backend/openui/config.py LITELLM_MASTER_KEY कमजोर प्रमाणीकरण]
अंक20

Do you know our Splunk app?

Download it now for free!