# OpenUI — Predictable LiteLLM master key due to incorrect string interpolation
STATUS: DRAFT
readiness: READY
program: OpenUI | platform: huntr | repo: wandb/openui | commit: f9d8f0e

````
Repository URL: https://github.com/wandb/openui
Package Manager: pip
Version Affected: 0.5.0
Vulnerability Type: Use of Hard-coded Credentials
CVSS:
  Attack Vector: Network
  Attack Complexity: Low
  Privileges Required: None
  User Interaction: None
  Scope: Changed
  Confidentiality: High
  Integrity: High
  Availability: High
Title: Predictable LiteLLM master key due to incorrect string interpolation (sk-{SESSION_KEY})
Impact: If the LiteLLM proxy is reachable in the deployment environment, an attacker can authenticate to LiteLLM using a predictable master key and gain unauthorized proxy capabilities, potentially enabling abuse of upstream model credentials and service/cost impact.
Description:

# Description

In `backend/openui/config.py`, when `LITELLM_MASTER_KEY` is not set, OpenUI attempts to derive a random-ish master key from the session key but incorrectly uses a normal string instead of an f-string:

```py
if os.getenv("LITELLM_MASTER_KEY") is None:
    os.environ["LITELLM_MASTER_KEY"] = "sk-{SESSION_KEY}"
```

This sets `LITELLM_MASTER_KEY` to the constant literal value `sk-{SESSION_KEY}` rather than interpolating the generated `SESSION_KEY`. If OpenUI is run with LiteLLM enabled (`python -m openui --litellm`), it spawns a LiteLLM proxy subprocess listening on port `4000`.

If that LiteLLM proxy is reachable by an attacker (exposed port, reachable from other containers, or reachable from within a multi-tenant environment), the attacker can authenticate using the predictable key.

# Proof of Concept

Precondition: a reachable LiteLLM proxy started by OpenUI with no explicit `LITELLM_MASTER_KEY` set.

1. Start OpenUI with `--litellm` and ensure the LiteLLM proxy port is reachable from the attacker’s network context.
2. Send any LiteLLM proxy request using the known master key value `sk-{SESSION_KEY}` (exact header depends on LiteLLM proxy auth configuration).
3. Observe that the request is authorized despite the deployment intending a random master key.

### Impact

Unauthorized access to LiteLLM proxy capabilities if the proxy is reachable, potentially enabling abuse of configured provider keys and system resources.

### Occurrences

```
Permalink: https://github.com/wandb/openui/blob/f9d8f0e30e1efe2a21bbefffba33bcf6b4e12dc7/backend/openui/config.py#L33-L44
Description: LITELLM_MASTER_KEY is set to a constant string rather than an interpolated random value.

Permalink: https://github.com/wandb/openui/blob/f9d8f0e30e1efe2a21bbefffba33bcf6b4e12dc7/backend/openui/__main__.py#L80-L104
Description: LiteLLM proxy is spawned on port 4000 when --litellm is enabled.
```

### References

```
URL: https://cwe.mitre.org/data/definitions/798.html
Name: CWE-798: Use of Hard-coded Credentials

URL: https://owasp.org/www-project-top-ten/2021/A07_2021-Identification_and_Authentication_Failures/
Name: OWASP A07: Identification and Authentication Failures
```

Occurrences:
  Permalink: https://github.com/wandb/openui/blob/f9d8f0e30e1efe2a21bbefffba33bcf6b4e12dc7/backend/openui/config.py#L33-L44
  Description: When LITELLM_MASTER_KEY is unset, the code sets it to the literal string "sk-{SESSION_KEY}" (missing f-string interpolation), making the master key predictable/constant.
  Permalink: https://github.com/wandb/openui/blob/f9d8f0e30e1efe2a21bbefffba33bcf6b4e12dc7/backend/openui/__main__.py#L80-L104
  Description: When run with --litellm, OpenUI spawns a LiteLLM proxy subprocess listening on port 4000.
References:
  URL: https://cwe.mitre.org/data/definitions/798.html
  Name: CWE-798: Use of Hard-coded Credentials
  URL: https://owasp.org/www-project-top-ten/2021/A07_2021-Identification_and_Authentication_Failures/
  Name: OWASP A07: Identification and Authentication Failures
````