410 matches found
LiteLLM - Arbitrary File Read
LiteLLM 1.83.0 contains a broken access control vulnerability caused by lack of admin role enforcement on /config/update endpoint, letting authenticated users modify configurations, execute code, read files, and take over accounts. id: CVE-2026-35029 info: name: LiteLLM - Arbitrary File Read...
LiteLLM - Server-Side Request Forgery
LiteLLM vulnerable to Server-Side Request Forgery SSRF vulnerability Exposes OpenAI API Keys. id: CVE-2024-6587 info: name: LiteLLM - Server-Side Request Forgery author: pdresearch,iamnoooob,rootxharsh,lambdasawa severity: high description: | LiteLLM vulnerable to Server-Side Request Forgery SSRF...
LiteLLM - SQL Injection
LiteLLM 1.81.16 to 1.83.7 contains a SQL injection caused by improper handling of caller-supplied key in database query during proxy API key checks, letting unauthenticated attackers read and modify database data, exploit requires crafted Authorization header. id: CVE-2026-42208 info: name: LiteL...
LiteLLM - Command Injection
A critical unauthenticated remote code execution vulnerability exists in LiteLLM due to improper input handling in the MCP stdio test endpoint. An attacker can send a specially crafted request to the /mcp-rest/test/connection endpoint with controlled parameters, resulting in arbitrary command...
CVE-2026-59821
A flaw was found in LiteLLM, a proxy server for Large Language Model LLM APIs. A privileged user with access to create or update custom code guardrails could exploit this vulnerability. The flaw allowed the user to submit custom Python code that would execute within the LiteLLM proxy environment,...
CVE-2026-59819
A flaw was found in LiteLLM, a proxy server for Large Language Model LLM APIs. A privileged caller, such as a proxy administrator, with permissions to test model connections, could exploit the /health/testconnection endpoint. By supplying specific environment or OIDC OpenID Connect file reference...
CVE-2026-59822
LiteLLM is a proxy server AI Gateway to call LLM APIs in OpenAI or native format. Prior to 1.84.0, LiteLLM's MCP Streamable HTTP endpoint allowed an unauthenticated attacker to use a fabricated Authorization header to trigger an OAuth2 passthrough fallback path that replaced failed LiteLLM key...
CVE-2026-59821
LiteLLM is a proxy server AI Gateway to call LLM APIs in OpenAI or native format. Prior to 1.82.0-stable, LiteLLM's Custom Code Guardrails production create and update paths did not apply the same sandboxing and validation used by the test endpoint, allowing a privileged user with access to creat...
CVE-2026-59819
LiteLLM is a proxy server AI Gateway to call LLM APIs in OpenAI or native format. Prior to 1.83.10-stable, LiteLLM's /health/testconnection endpoint resolved request-supplied environment and OIDC file references in litellmparams, allowing a proxy administrator or another privileged caller with...
CVE-2026-59819 LiteLLM: Local file read via request-supplied OIDC file references
LiteLLM is a proxy server AI Gateway to call LLM APIs in OpenAI or native format. Prior to 1.83.10-stable, LiteLLM's /health/testconnection endpoint resolved request-supplied environment and OIDC file references in litellmparams, allowing a proxy administrator or another privileged caller with...
CVE-2026-59822
LiteLLM (proxy server for LLM APIs)Prior to 1.84.0, LiteLLM’s MCP Streamable HTTP endpoint was vulnerable to an unauthenticated exploit where a fabricated Authorization header triggered an OAuth2 passthrough fallback. This path replaced failed LiteLLM key validation with an empty UserAPIKeyAuth()...
CVE-2026-59822 LiteLLM: MCP Authentication Bypass via OAuth2 Passthrough Fallback
LiteLLM is a proxy server AI Gateway to call LLM APIs in OpenAI or native format. Prior to 1.84.0, LiteLLM's MCP Streamable HTTP endpoint allowed an unauthenticated attacker to use a fabricated Authorization header to trigger an OAuth2 passthrough fallback path that replaced failed LiteLLM key...
CVE-2026-59820
LiteLLM is a proxy AI gateway. A path traversal flaw existed in LiteLLM Skills archive extraction prior to version 1.83.7-stable, where uploaded skill ZIPs could write outside the intended extraction directory when an authenticated user accessed LLM API routes or held a key with /v1/skills, anthr...
CVE-2026-59821
LiteLLM is affected by CVE-2026-59821 where the Custom Code Guardrails production endpoints did not apply the same sandboxing/validation as the test endpoint. This allowed a privileged user who can create or update guardrails to submit custom Python code that could execute within the LiteLLM prox...
PT-2026-56544
Name of the Vulnerable Software and Affected Versions LiteLLM versions prior to 1.82.0-stable Description LiteLLM is a proxy server that acts as an AI Gateway for calling LLM APIs. A flaw exists in the production create and update paths of the Custom Code Guardrails, which failed to apply the sam...
PT-2026-56542
Name of the Vulnerable Software and Affected Versions LiteLLM versions prior to 1.83.10-stable Description LiteLLM is a proxy server that functions as an AI Gateway for calling LLM APIs. The '/health/test connection' endpoint resolves request-supplied environment and OIDC file references within t...
PYSEC-2026-388 LiteLLM: Authentication Bypass via Host Header Injection
Impact A Host-header parsing flaw in the LiteLLM proxy could, under specific conditions, allow unauthenticated access to protected management routes. The auth layer derived the effective route from request.url.path in litellm/proxy/auth/authutils.py::getrequestroute, which Starlette reconstructs...
PYSEC-2026-389 litellm vulnerable to remote code execution based on using eval unsafely
BerriAI/litellm version v1.35.8 contains a vulnerability where an attacker can achieve remote code execution. The vulnerability exists in the adddeployment function, which decodes and decrypts environment variables from base64 and assigns them to os.environ. An attacker can exploit this by sendin...
PYSEC-2026-387 LiteLLM has Server-Side Template Injection vulnerability in /completions endpoint
BerriAI/litellm is vulnerable to Server-Side Template Injection SSTI via the /completions endpoint. The vulnerability arises from the hfchattemplate method processing the chattemplate parameter from the tokenizerconfig.json file through the Jinja template engine without proper sanitization...
CVE-2026-12772
A flaw was found in BerriAI litellm. A remote attacker could exploit a vulnerability in the authenticateuser function within the PROXYADMIN database API Key Generator component. By performing a specific manipulation, an attacker can cause session expiration for users, leading to a denial of servi...