Lucene search
K

121 matches found

RedhatCVE
RedhatCVE
added 6 days ago9 views

CVE-2026-47101

A flaw was found in LiteLLM. An authenticated internal user can exploit this vulnerability by creating API keys that grant access to routes beyond their assigned role. This occurs because the system fails to verify if the specified allowedroutes for the API key align with the user's actual...

8.8CVSS6AI score0.00739EPSS
Exploits3References10
NVD
NVD
added 2026/06/21 10:16 a.m.13 views

CVE-2026-12799

A security vulnerability has been detected in BerriAI litellm up to 1.82.2. Affected by this issue is the function uiviewusers of the file litellm/proxy/managementendpoints/internaluserendpoints.py of the component Incomplete Fix CVE-2025-0628. Such manipulation leads to improper authorization. I...

5.3CVSS0.00288EPSS
Exploits1References5
CVE
CVE
added 2026/06/21 10:0 a.m.17 views

CVE-2026-12799

The CVE-2026-12799 entry concerns BerriAI litellm up to version 1.82.2. The vulnerability affects the function ui_view_users in litellm/proxy/management_endpoints/internal_user_endpoints.py (component: Incomplete Fix CVE-2025-0628) and enables improper authorization. The issue can be exploited re...

5.3CVSS5.3AI score0.00288EPSS
Exploits1References5Affected Software1
Cvelist
Cvelist
added 2026/06/21 10:0 a.m.32 views

CVE-2026-12799 BerriAI litellm Incomplete Fix CVE-2025-0628 internal_user_endpoints.py ui_view_users improper authorization

A security vulnerability has been detected in BerriAI litellm up to 1.82.2. Affected by this issue is the function uiviewusers of the file litellm/proxy/managementendpoints/internaluserendpoints.py of the component Incomplete Fix CVE-2025-0628. Such manipulation leads to improper authorization. I...

5.3CVSS0.00288EPSS
Exploits1References5
EUVD
EUVD
added 2026/06/21 10:0 a.m.8 views

EUVD-2026-38158

A security vulnerability has been detected in BerriAI litellm up to 1.82.2. Affected by this issue is the function uiviewusers of the file litellm/proxy/managementendpoints/internaluserendpoints.py of the component Incomplete Fix CVE-2025-0628. Such manipulation leads to improper authorization. I...

8.1CVSS6AI score0.00315EPSS
Exploits1References5
Github Security Blog
Github Security Blog
added 2026/05/21 9:30 p.m.4 views

LiteLLM allows an authenticated internal_user to create API keys with access to routes that their role does not permit

LiteLLM prior to 1.83.14 allows an authenticated internaluser to create API keys with access to routes that their role does not permit. When generating a key, the allowedroutes field is stored without verifying that the specified routes fall within the user's own permissions. A key created with...

8.8CVSS6.1AI score0.00739EPSS
Exploits3References10Affected Software1
OSV
OSV
added 2026/05/21 9:30 p.m.2 views

GHSA-QRC4-49GV-MV9M LiteLLM allows an authenticated internal_user to create API keys with access to routes that their role does not permit

LiteLLM prior to 1.83.14 allows an authenticated internaluser to create API keys with access to routes that their role does not permit. When generating a key, the allowedroutes field is stored without verifying that the specified routes fall within the user's own permissions. A key created with...

8.8CVSS6.1AI score0.00739EPSS
Exploits3References10
CVE
CVE
added 2026/05/21 8:33 p.m.22 views

CVE-2026-47101

LiteLLM prior to 1.83.14 is affected. An authenticated internal_user can generate API keys where allowed_routes may include admin-only routes, bypassing role-based access controls because the system does not verify that the requested routes fall within the creator’s permissions. This enables priv...

8.8CVSS5.8AI score0.00739EPSS
Exploits3References11Affected Software1
Cvelist
Cvelist
added 2026/05/21 8:33 p.m.35 views

CVE-2026-47101 LiteLLM < 1.83.14 Privilege Escalation via API Key Generation

LiteLLM prior to 1.83.14 allows an authenticated internaluser to create API keys with access to routes that their role does not permit. When generating a key, the allowedroutes field is stored without verifying that the specified routes fall within the user's own permissions. A key created with...

8.8CVSS0.00739EPSS
Exploits3References8
EUVD
EUVD
added 2026/05/21 8:33 p.m.8 views

EUVD-2026-31346

LiteLLM prior to 1.83.14 allows an authenticated internaluser to create API keys with access to routes that their role does not permit. When generating a key, the allowedroutes field is stored without verifying that the specified routes fall within the user's own permissions. A key created with...

8.8CVSS5.8AI score0.00739EPSS
Exploits3References7
ATTACKERKB
ATTACKERKB
added 2026/05/21 8:33 p.m.10 views

CVE-2026-47101

LiteLLM prior to 1.83.14 allows an authenticated internaluser to create API keys with access to routes that their role does not permit. When generating a key, the allowedroutes field is stored without verifying that the specified routes fall within the user's own permissions. A key created with...

8.8CVSS5.8AI score0.00739EPSS
Exploits3References8
Vulnrichment
Vulnrichment
added 2026/05/21 8:33 p.m.11 views

CVE-2026-47101 LiteLLM < 1.83.14 Privilege Escalation via API Key Generation

LiteLLM prior to 1.83.14 allows an authenticated internaluser to create API keys with access to routes that their role does not permit. When generating a key, the allowedroutes field is stored without verifying that the specified routes fall within the user's own permissions. A key created with...

8.8CVSS5.8AI score0.00739EPSS
Exploits3References8
CNNVD
CNNVD
added 2026/05/21 12:0 a.m.10 views

LiteLLM 安全漏洞

LiteLLM is an open-source application developed by Berri AI. It can utilize all LLM APIs in the OpenAI format. Versions of LiteLLM prior to 1.83.14 contained a security vulnerability. This vulnerability stemmed from the lack of verification of whether the allowedroutes field was within the user’s...

8.8CVSS5.8AI score0.00739EPSS
Exploits3References1
Positive Technologies
Positive Technologies
added 2026/05/21 12:0 a.m.17 views

PT-2026-42538

Name of the Vulnerable Software and Affected Versions LiteLLM versions prior to 1.83.14 Description An authenticated internal user can create API keys with access to routes not permitted by their role. This occurs because the allowed routes field is stored during key generation without verifying ...

8.8CVSS5.2AI score0.00739EPSS
Exploits3References16
Positive Technologies
Positive Technologies
added 2026/04/02 12:0 a.m.5 views

PT-2026-29794

An issue was discovered in Percona PMM before 3.7. Because an internal database user retains specific superuser privileges, an attacker with pmm-admin rights can abuse the "Add data source" feature to break out of the database context and execute shell commands on the underlying operating system...

9.9CVSS6AI score0.00289EPSS
Exploits1References4
Snyk
Snyk
added 2026/04/01 6:33 a.m.3 views

Missing Authentication for Critical Function

Overview litellm is a Library to easily interface with LLM API providers Affected versions of this package are vulnerable to Missing Authentication for Critical Function in the key-management endpoints due to improper enforcements of proxy-admin, team-admin, org-admin, or ownership checks. An...

6CVSS5.9AI score
Exploits0References3
HackRead
HackRead
added 2026/02/05 10:50 p.m.4 views

Substack Breach: 662,752 User Records Leaked on Cybercrime Forum

Substack confirms a breach after hacker accessed internal user records now circulating on crime forums, exposing emails, phone numbers, and account metadata...

5.3AI score
Exploits0
OSV
OSV
added 2026/02/03 12:30 p.m.4 views

GHSA-8JRV-WX83-W3XJ Moodle Inserts Sensitive Information Into Sent Data

A flaw was found in moodle. During anonymous assignment submissions, user identifiers were inadvertently exposed in URLs. This data exposure allows unauthorized viewers to see internal user IDs, compromising the intended anonymity and potentially leading to information disclosure...

4.3CVSS5.3AI score0.00342EPSS
Exploits0References7
Snyk
Snyk
added 2026/02/03 11:48 a.m.3 views

Insertion of Sensitive Information Into Sent Data

Overview moodle/moodle is a learning platform. Affected versions of this package are vulnerable to Insertion of Sensitive Information Into Sent Data via the urls during anonymous assignment submissions. An attacker can access internal user identifiers by viewing exposed URLs, which may compromise...

5.3CVSS5.5AI score0.00342EPSS
Exploits0References2
NVD
NVD
added 2026/02/03 11:15 a.m.7 views

CVE-2025-67857

A flaw was found in moodle. During anonymous assignment submissions, user identifiers were inadvertently exposed in URLs. This data exposure allows unauthorized viewers to see internal user IDs, compromising the intended anonymity and potentially leading to information disclosure...

5.3CVSS0.00342EPSS
Exploits0References3
Rows per page
Query Builder