[Bug]: Editting a key in the UI clears its user_id via /key/update (vuln?) #8394

xmcp · 2025-02-08T15:17:44Z

What happened?

Step to reproduce:

Log in as an internal user
Create a key via "Virtual Keys" -> "+ Create New Key"
Click on the edit button to bring up the modal, and then click on "Edit Key" to save
Refresh the page
Observe that the key is not shown in the "Virtual Keys" table anymore
The user can still make requests with this key, and the spend won't be linked to that user anymore

After carelessly inspecting the code, the problem might be that when /key/update is called without the user_id field, it will be reset to null in prepare_key_update_data.

This might be a vulnerability but I will just post it here since it is too trivial for anyone to find.

Relevant log output

N/A

Are you a ML Ops Team?

Yes

What LiteLLM version are you on ?

v1.60.2

Twitter / LinkedIn details

No response

The text was updated successfully, but these errors were encountered:

xmcp · 2025-02-08T15:28:17Z

Wait I found that there is no need to even call /key/update. The /key/generate already sets user_id to null. Is this the expected behavior?

xmcp added the bug Something isn't working label Feb 8, 2025

github-actions bot added the mlops user request label Feb 8, 2025

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[Bug]: Editting a key in the UI clears its user_id via /key/update (vuln?) #8394

[Bug]: Editting a key in the UI clears its user_id via /key/update (vuln?) #8394

xmcp commented Feb 8, 2025

xmcp commented Feb 8, 2025

[Bug]: Editting a key in the UI clears its user_id via /key/update (vuln?) #8394

[Bug]: Editting a key in the UI clears its user_id via /key/update (vuln?) #8394

Comments

xmcp commented Feb 8, 2025

What happened?

Relevant log output

Are you a ML Ops Team?

What LiteLLM version are you on ?

Twitter / LinkedIn details

xmcp commented Feb 8, 2025