Submit #811286: litellm <= 1.82.2 Missing Authentication for Critical Function (CWE-306)info

Titlelitellm <= 1.82.2 Missing Authentication for Critical Function (CWE-306)
Description# Technical Details A Missing Authentication vulnerability exists in the `debug_sso_login` and `debug_sso_callback` methods in `litellm/proxy/management_endpoints/ui_sso.py` of litellm. The framework exposes Single Sign-On (SSO) troubleshooting endpoints without protecting them through the standard `Depends(user_api_key_auth)` restriction. This allows unauthenticated external attackers to bypass general proxy rules and receive raw HTML renders of the Identity Provider claims (including credentials). # Vulnerable Code File: `litellm/proxy/management_endpoints/ui_sso.py` Method: `debug_sso_login`, `debug_sso_callback` Why: Both diagnostic route handles entirely lack route checking parameters or global permission guards. Furthermore, `return_raw_sso_response=True` overrides standard payload filtration blocks (like `_OAUTH_TOKEN_FIELDS`), meaning direct authentication tokens (`access_token`, `id_token`) leak straight into the debug template. To worsen matters, the template embeds this using `json.dumps()` into a `<script>`, bypassing HTML sanitation and allowing generic Cross-Site Scripting (XSS). # Reproduction 1. Have an SSO Identity integration connected to a target LiteLLM instance. 2. From an unauthenticated terminal session, trigger `GET http://localhost:4000/sso/debug/login`. Note the immediate 303 Redirect bypassing any API 401 challenges. 3. Traverse the UI-based Identity sign-in window. 4. View the returned callback dump yielding the internal user UUIDs, Team IDs, and full SSO raw tokens directly on the screen. # Impact - Massive Information Leakage surrounding internal user structures. - Direct compromise of User Identity assertions regarding OAuth mechanisms via token dumping. - Possible Stored XSS leading to active Administrative Session hijacks if the Identity scope handles arbitrary username values injected with `<script>` tags.
Source⚠️ https://gist.github.com/YLChen-007/9b13c75a3a73187a4082cc6df0b100d3
User
 Eric-c (UID 96848)
Submission04/23/2026 10:06 (2 months ago)
Moderation06/20/2026 19:12 (2 months later)
StatusAccepted
VulDB entry372557 [BerriAI litellm up to 1.82.2 SSO Debug Flow ui_sso.py json.dumps missing authentication]
Points20

PreviousOverviewNext

Do you want to use VulDB in your project?

Use the official API to access entries easily!