GHSA-69x8-hrgq-fjj8: LiteLLM: Password hash exposure and pass-the-hash authentication bypass
Summary
LiteLLM had three security flaws that combined to allow attackers to take over user accounts: passwords were stored using weak SHA-256 hashing without salt (making them easy to crack with rainbow tables, which are pre-computed lists of password hashes), the password hashes were exposed in API responses that any logged-in user could access, and the login endpoint accepted raw hashes instead of requiring the actual password (a vulnerability called pass-the-hash). An attacker could retrieve another user's password hash through the API and use it directly to log in as that user.
Solution / Mitigation
Fixed in v1.83.0. Passwords are now hashed with scrypt (a much stronger algorithm using a random 16-byte salt with parameters n=16384, r=8, p=1). Password hashes are stripped from all API responses. Existing SHA-256 hashes are transparently migrated to the new format on the user's next login.
Classification
Affected Vendors
Affected Packages
Related Issues
Original source: https://github.com/advisories/GHSA-69x8-hrgq-fjj8
First tracked: April 8, 2026 at 02:01 AM
Classified by LLM (prompt v3) · confidence: 92%