What happened?

Security Vulnerability: Invite Link Allows Multiple Password Resets

Steps to Reproduce

1. Create an invite link
2. Use the invite link to set a password
3. Use the same invite link to set a different password
4. The password from step 2 becomes invalid; the password set in step 3 is now the active password for the user.

Impact

• The invite link can be reused to overwrite a user’s password, potentially allowing unauthorized access.

Recommendations

• Give the link a TTL
• Invalidate the link after a password is set
• Implement a separate “forgot password” flow
  -If a password exists in the DB, deny the request and log the attempt

Additional Info

Severity: High
Labels: security, bug, high priority

Relevant log output

No logs available—see reproduction steps above.

Are you a ML Ops Team?

No

What LiteLLM version are you on ?

1.75.9

Twitter / LinkedIn details

No response