Api Key Authentication Vulnerability

Hello OpenAI Team,

I am the author of the open-source project ChatGPT Next Web.

Today, I received reports from my users regarding a vulnerability in OpenAI’s Api Key authentication system. When a user’s Api Key is leaked, an attacker can easily use the undisclosed interface to create new Api Keys in bulk. This is obviously not an acceptable practice, and I recommend that you review all of your undisclosed interface authentication mechanisms and strictly limit access to Api Keys.

Here is an example of a possible attack:

curl -i https://api.openai.com/dashboard/user/api_keys \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer sk-leaked-api-key" \
  -d ' {
    "action": "create",
    "name": "key-name"

This request can be used with a user’s leaked Api Key to generate new Api Keys without any restrictions.

Please let me know if you need any further information or if I can be of any assistance in addressing this issue.


Thank you for the reminder, I’ll follow the document to report the issue.

Can a leaked API key increase the limit to $120?

If the leaked Key is been deleted from the Account. Can this be still possible to generate a new key?

Hi Shravan,

It should not be possible for a user with a deleted API key to generate a new one or alter any account details.

Update: this has been fixed by OpenAI.