{"data":{"id":"48a686d9-2c15-4ca1-9f94-f3efdcf252d3","title":"GHSA-69x8-hrgq-fjj8: LiteLLM: Password hash exposure and pass-the-hash authentication bypass","summary":"LiteLLM had three security flaws that combined to allow attackers to take over user accounts: passwords were stored using weak SHA-256 hashing without salt (making them easy to crack with rainbow tables, which are pre-computed lists of password hashes), the password hashes were exposed in API responses that any logged-in user could access, and the login endpoint accepted raw hashes instead of requiring the actual password (a vulnerability called pass-the-hash). An attacker could retrieve another user's password hash through the API and use it directly to log in as that user.","solution":"Fixed in v1.83.0. Passwords are now hashed with scrypt (a much stronger algorithm using a random 16-byte salt with parameters n=16384, r=8, p=1). Password hashes are stripped from all API responses. Existing SHA-256 hashes are transparently migrated to the new format on the user's next login.","labels":["security"],"sourceUrl":"https://github.com/advisories/GHSA-69x8-hrgq-fjj8","publishedAt":"2026-04-08T00:04:12.000Z","cveId":null,"cweIds":null,"cvssScore":null,"cvssSeverity":"high","severity":"high","attackType":["supply_chain"],"issueType":"vulnerability","affectedPackages":["litellm@< 1.83.0 (fixed: 1.83.0)"],"affectedVendors":["LangChain"],"affectedVendorsRaw":["LiteLLM"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":null,"epssScore":null,"patchAvailable":true,"disclosureDate":"2026-04-08T00:04:12.000Z","capecIds":null,"crossRefCount":0,"attackSophistication":"trivial","impactType":["confidentiality","integrity"],"aiComponentTargeted":"api","llmSpecific":false,"classifierConfidence":0.92,"researchCategory":null,"atlasIds":null}}