LiteLLM (48K stars) ships with master API key sk-1234 — full admin bypass on their AI Gateway. CVSS 9.8. Still unpatched in latest release.
LiteLLM, an AI Gateway used to route requests to multiple large language model providers, ships with a hardcoded master API key 'sk-1234' in its default configuration. This key grants full administrative access, including generating unlimited API keys, reading all stored provider credentials, making inference calls billed to the victim, accessing spend logs, and modifying or deleting models. The default key is present in the . env. example file and referenced directly in docker-compose setups, with no startup validation or forced rotation. The vulnerability remains unpatched as of the latest release (1. 86. 0). Hundreds of exposed instances with default configurations are publicly accessible, increasing the risk of exploitation. The issue was reported recently and is awaiting vendor response.
AI Analysis
Technical Summary
LiteLLM versions up to and including 1.86.0 ship with a default master API key 'sk-1234' embedded in the example environment configuration and docker-compose files. This key bypasses all authentication, granting full administrative privileges on the AI Gateway. The authentication code compares the provided API key to this master key without any startup validation or forced rotation, allowing attackers with knowledge of the default key to generate admin API keys, access all stored credentials for integrated LLM providers, perform inference calls billed to the victim, and modify or delete models. The vulnerability is publicly disclosed on Reddit and GitHub, with no official patch or mitigation from the vendor at this time.
Potential Impact
An attacker with knowledge of the default master API key can fully compromise the LiteLLM AI Gateway, gaining unrestricted administrative access. This includes generating unlimited API keys, accessing sensitive provider credentials, making unauthorized inference calls billed to the victim, viewing detailed spend logs, and altering or deleting AI models. The exposure of hundreds of publicly accessible instances with default configurations significantly increases the risk of widespread exploitation. No known exploits in the wild have been reported yet.
Mitigation Recommendations
As of the latest information, there is no official patch or fix available from the vendor. Users deploying LiteLLM must immediately change the default master API key from 'sk-1234' to a strong, unique value before exposing the service. It is critical to avoid deploying LiteLLM with the default .env.example configuration or docker-compose setup without modification. Monitor the vendor's GitHub issue tracker for updates and official remediation guidance. Patch status is not yet confirmed — check the vendor advisory or repository for current remediation guidance.
LiteLLM (48K stars) ships with master API key sk-1234 — full admin bypass on their AI Gateway. CVSS 9.8. Still unpatched in latest release.
Description
LiteLLM, an AI Gateway used to route requests to multiple large language model providers, ships with a hardcoded master API key 'sk-1234' in its default configuration. This key grants full administrative access, including generating unlimited API keys, reading all stored provider credentials, making inference calls billed to the victim, accessing spend logs, and modifying or deleting models. The default key is present in the . env. example file and referenced directly in docker-compose setups, with no startup validation or forced rotation. The vulnerability remains unpatched as of the latest release (1. 86. 0). Hundreds of exposed instances with default configurations are publicly accessible, increasing the risk of exploitation. The issue was reported recently and is awaiting vendor response.
Reddit Discussion
LiteLLM is an AI Gateway used by enterprises to route requests to OpenAI, Anthropic, Azure, Bedrock, Vertex, and 100+ other LLM providers. It handles API keys, rate limiting, cost tracking, and load balancing.
The default .env.example ships with:
LITELLM_MASTER_KEY = "sk-1234"
The docker-compose.yml references this .env file directly.
THE AUTH CODE (user_api_key_auth.py:1257):
is_master_key_valid = secrets.compare_digest(api_key, master_key)
if is_master_key_valid:
user_role = PROXY_ADMIN // root access
There is NO startup validation. NO warning. NO forced rotation.
The key "sk-1234" is used in EVERY test file. It's been the default for years.
WHAT YOU GET WITH sk-1234:
- Generate unlimited API keys
- Read all stored provider credentials (OpenAI, Anthropic, Azure, etc.)
- Make inference calls on ANY configured provider (billed to victim)
- Access full spend logs with prompts and responses
- Create admin users, modify routing, delete models
LIVE DEMO:
I deployed LiteLLM 1.86.0 (latest), started the proxy with default config:
curl -H "Authorization: Bearer sk-1234" http://localhost:4000/health
→ 200 OK
curl -H "Authorization: Bearer sk-1234" http://localhost:4000/v1/models
→ 200 OK - full model list
curl -X POST -H "Authorization: Bearer sk-1234" http://localhost:4000/key/generate
→ Would generate admin API keys (needs Postgres configured)
Shodan query: title:"LiteLLM" port:4000
→ Hundreds of exposed instances, many likely with default key.
GitHub issue: https://github.com/BerriAI/litellm/issues/28797
Reported: Today. Status: Awaiting response.
If you deploy LiteLLM from docker-compose without changing the default .env,
your entire AI gateway is wide open. Change your master key NOW.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
LiteLLM versions up to and including 1.86.0 ship with a default master API key 'sk-1234' embedded in the example environment configuration and docker-compose files. This key bypasses all authentication, granting full administrative privileges on the AI Gateway. The authentication code compares the provided API key to this master key without any startup validation or forced rotation, allowing attackers with knowledge of the default key to generate admin API keys, access all stored credentials for integrated LLM providers, perform inference calls billed to the victim, and modify or delete models. The vulnerability is publicly disclosed on Reddit and GitHub, with no official patch or mitigation from the vendor at this time.
Potential Impact
An attacker with knowledge of the default master API key can fully compromise the LiteLLM AI Gateway, gaining unrestricted administrative access. This includes generating unlimited API keys, accessing sensitive provider credentials, making unauthorized inference calls billed to the victim, viewing detailed spend logs, and altering or deleting AI models. The exposure of hundreds of publicly accessible instances with default configurations significantly increases the risk of widespread exploitation. No known exploits in the wild have been reported yet.
Mitigation Recommendations
As of the latest information, there is no official patch or fix available from the vendor. Users deploying LiteLLM must immediately change the default master API key from 'sk-1234' to a strong, unique value before exposing the service. It is critical to avoid deploying LiteLLM with the default .env.example configuration or docker-compose setup without modification. Monitor the vendor's GitHub issue tracker for updates and official remediation guidance. Patch status is not yet confirmed — check the vendor advisory or repository for current remediation guidance.
Technical Details
- Source Type
- Subreddit
- cybersecurity
- Reddit Score
- 0
- Discussion Level
- minimal
- Content Source
- reddit_link_post
- Post Type
- link
- Domain
- null
- Newsworthiness Assessment
- {"score":33,"reasons":["external_link","newsworthy_keywords:patch","non_newsworthy_keywords:vs","established_author","recent_news"],"isNewsworthy":true,"foundNewsworthy":["patch"],"foundNonNewsworthy":["vs"]}
- Has External Source
- true
- Trusted Domain
- false
Threat ID: 6a151285a5ae1af1aa290fbc
Added to database: 5/26/2026, 3:24:53 AM
Last enriched: 5/26/2026, 3:25:00 AM
Last updated: 5/26/2026, 4:32:33 AM
Views: 3
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.