diff --git a/litellm/proxy/management_endpoints/key_management_endpoints.py b/litellm/proxy/management_endpoints/key_management_endpoints.py index 5afa505e9e..bb1de5e8ce 100644 --- a/litellm/proxy/management_endpoints/key_management_endpoints.py +++ b/litellm/proxy/management_endpoints/key_management_endpoints.py @@ -1344,6 +1344,17 @@ async def update_key_fn( detail={"error": f"Team not found, passed team_id={data.team_id}"}, ) + ## sanity check - prevent non-proxy admin user from updating key to belong to a different user + if ( + data.user_id is not None + and data.user_id != existing_key_row.user_id + and user_api_key_dict.user_role != LitellmUserRoles.PROXY_ADMIN.value + ): + raise HTTPException( + status_code=403, + detail=f"User={data.user_id} is not allowed to update key={key} to belong to user={existing_key_row.user_id}", + ) + common_key_access_checks( user_api_key_dict=user_api_key_dict, data=data,