37 matches found
CVE-2026-42208
LiteLLM proxy (AI Gateway) versions 1.81.16–1.83.6 suffer a SQL injection in the proxy API key verification path where the caller-supplied key is interpolated into a SQL query during error handling. An unauthenticated attacker can send a crafted Authorization header to LLM routes (e.g., POST /cha...
CVE-2026-42271
Summary: CVE-2026-42271 affects LiteLLM up to v1.83.7, where two MCP preview endpoints (POST /mcp-rest/test/connection and /tools/list) could spawn arbitrary commands via stdio transport when provided a full server config, restricted only by a valid API key. The subprocess ran with the proxy’s pr...
CVE-2024-6587
LiteLLM is affected by a Server-Side Request Forgery (SSRF) in the chat/completions endpoint. The vulnerability arises from using an attacker-controlled api_base, causing requests to be sent to an arbitrary domain and potentially exposing the OpenAI API key in the Authorization header. Affected v...
CVE-2024-2952
CVE-2024-2952 affects BerriAI/litellm. The vulnerability is an SSTI in the /completions endpoint: the hf_chat_template method processes the chat_template parameter from tokenizer_config.json using the Jinja template engine without proper sanitization, enabling attackers to craft malicious tokeniz...
CVE-2025-0330
The CVE-2025-0330 issue affects berriai/litellm v1.52.1, where a flaw in proxy_server.py leads to leakage of Langfuse API keys (langfuse_secret and langfuse_public_key) when parsing team settings. This reportedly grants full access to the Langfuse project storing all requests. Connected documents...
CVE-2024-9606
CVE-2024-9606 — Improper API key masking in Litellm A vulnerability in berriai/litellm prior to 1.44.12 arises from the masking logic in litellm_logging.py, which only masks the first 5 characters of API keys. This allows leakage of most of the secret key in logs, as noted for version v1.44.9 and...
CVE-2024-4890
The CVE-2024-4890 entry applies to the berriai/litellm project. A blind SQL injection exists in the /team/update flow due to improper handling of the user_id parameter in the raw SQL used to delete users, with affected version 1.27.14. Exploitation could yield unauthorized access to sensitive dat...
CVE-2026-35029
CVE-2026-35029 affects LiteLLM, a proxy AI Gateway. The /config/update endpoint lacks admin authorization, allowing an authenticated user to modify proxy config and environment variables, register attacker-controlled Python code handlers, achieve remote code execution, read arbitrary server files...
CVE-2026-35030
LiteLLM (proxy for LLM APIs) contains an authentication bypass flaw when JWT/OIDC authentication is enabled. The OIDC userinfo cache key is derived from the first 20 characters of the token, allowing an unauthenticated attacker to craft a token whose prefix matches a legitimate user’s cached toke...
CVE-2026-12773
Affected software: litellm MCP Proxy (BerriAI) up to version 1.59.8. The vulnerability lies in UserAPIKeyAuth in litellm/proxy/_experimental/mcp_server/auth/user_api_key_auth_mcp.py, where authentication can be bypassed if an invalid token triggers a swallowed 401/403 exception, allowing unauthen...
CVE-2026-12774
CVE-2026-12774 affects BerriAI litellm up to 1.82.2. The vulnerability targets the function _execute_with_mcp_client in litellm/proxy/_experimental/mcp_server/rest_endpoints.py (MCP Server Connection Testing). It enables server‑side request forgery through manipulation of this component, with rem...
CVE-2026-49468
LiteLLM is a proxy server (AI Gateway) for calling LLM APIs. A host-header parsing flaw could allow authentication bypass by making the auth gate evaluate a different route than dispatched, effectively bypassing access controls under specific conditions. The issue is mitigated by upgrading to 1.8...
CVE-2024-5225
The CVE-2024-5225 issue affects litellm (LiteLLM) / berriai/litellm, specifically the /global/spend/logs endpoint, where the code builds an SQL query by directly concatenating an unvalidated api_key parameter. This SQL Injection vulnerability can lead to unauthorized access, data manipulation, ex...
CVE-2024-8984
The CVE-2024-8984 entry describes a Denial of Service vulnerability in berriai/litellm v1.44.5 caused by improper handling of multipart HTTP boundaries. An attacker can append characters to the boundary, triggering unbounded resource consumption and service unavailability. The issue is unauthenti...
CVE-2024-4888
BerriAI’s litellm (latest version) is affected by CVE-2024-4888 due to improper input validation on the /audio/transcriptions endpoint. The code uses os.remove(file.filename) to delete a file, allowing an attacker to delete arbitrary server files (e.g., SSH keys, SQLite databases, configuration f...
CVE-2026-42203
LiteLLM (proxy server) is affected from version 1.80.5 up to before 1.83.7 due to Server-Side Template Injection in the POST /prompts/test endpoint. The endpoint renders user-supplied prompt templates without sandboxing, enabling arbitrary code execution inside the LiteLLM Proxy process when auth...
CVE-2024-4889
CVE-2024-4889 affects berriai/litellm 1.34.6. The issue stems from unvalidated input in the secret management system’s eval function. When Google KMS is configured, an attacker can set UI_LOGO_PATH to a remote server in get_image, allowing writes to a malicious Google KMS configuration file at ca...
CVE-2026-33634
CVE-2026-33634 is tied to a supply-chain compromise involving Aqua Security Trivy. Concrete details show: (1) affected items include Trivy binary/image v0.69.4, and GitHub Actions components aquasecurity/trivy-action (versions 0.0.1–0.34.2, 76/77 forced-pushed) and aquasecurity/setup-trivy (0.2.0...
CVE-2024-5751
CVE-2024-5751 affects BerriAI/litellm v1.35.8. The vulnerability is in the add_deployment function, which base64-decodes and decrypts environment variables into os.environ; an attacker can trigger remote code execution by sending a malicious payload to /config/update, processed when get_secret ru...
CVE-2024-5710
CVE-2024-5710 affects berriai/litellm version 1.34.34. The issue is an improper access control in the Team Management feature, caused by insufficient access control checks across various endpoints. This enables unauthorized actors to perform actions such as creating, updating, viewing, deleting, ...
CVE-2024-6825
CVE-2024-6825 affects litellm 1.40.12. The vulnerability lies in how the post_call_rules configuration is parsed: a callback can be set to a system method (for example os.system), with the final part treated as the function name and the rest imported as a Python module, enabling arbitrary command...
CVE-2026-12799
The CVE-2026-12799 entry concerns BerriAI litellm up to version 1.82.2. The vulnerability affects the function ui_view_users in litellm/proxy/management_endpoints/internal_user_endpoints.py (component: Incomplete Fix CVE-2025-0628) and enables improper authorization. The issue can be exploited re...
CVE-2026-12770
The CVE affects litellm (BerriAI) up to version 1.63.1, specifically the Admin Key Handler component and the file litellm/proxy/management_endpoints/key_management_endpoints.py. The root cause is improper authorization caused by manipulation within this endpoint, enabling a remote attacker to exp...
CVE-2026-47102
LiteLLM is affected up to version 1.83.10. A vulnerability in the /user/update endpoint allows a user to modify their own user_role, potentially elevating to proxy_admin and gaining full administrative access to LiteLLM (including users, teams, keys, models, and prompt history). The flaw arises b...
CVE-2026-12772
CVE-2026-12772 affects BerriAI litellm up to 1.82.2, impacting the authenticate_user path in litellm/proxy/auth/login_utils.py for the PROXY_ADMIN database API Key Generator. Description indicates that manipulating input can cause session expiration and that the issue can be exploited remotely; e...
CVE-2025-45809
CVE-2025-45809 affects BerriAI litellm v1.65.4. The vulnerability is a SQL injection through the /key/block endpoint, enabling an attacker (proxy_admin_viewer) to brute-force files (PoC shows database read via pg_read_file and timing-based checks). The SNYK entry confirms the SQL injection and pr...
CVE-2026-12795
CVE-2026-12795 affects BerriAI litellm up to version 1.82.2 in the SSO Debug Flow component. The vulnerability concerns the function json.dumps within litellm/proxy/management_endpoints/ui_sso.py, where manipulation can lead to missing authentication. The issue is exploitable remotely and has had...
CVE-2026-59822
LiteLLM (proxy server for LLM APIs)Prior to 1.84.0, LiteLLM’s MCP Streamable HTTP endpoint was vulnerable to an unauthenticated exploit where a fabricated Authorization header triggered an OAuth2 passthrough fallback. This path replaced failed LiteLLM key validation with an empty UserAPIKeyAuth()...
CVE-2026-40217
LiteLLM (through 2026-04-08) is vulnerable to remote code execution via bytecode rewriting at /guardrails/test_custom_code. The CVSSv3.1 vector yields a high severity (8.8) with NETWORK attack, LOW privileges, no user interaction required. Affected component is unspecified beyond the URL vector; ...
CVE-2026-47101
LiteLLM prior to 1.83.14 is affected. An authenticated internal_user can generate API keys where allowed_routes may include admin-only routes, bypassing role-based access controls because the system does not verify that the requested routes fall within the creator’s permissions. This enables priv...
CVE-2026-12771
CVE-2026-12771 affects the litellm library by BerriAI up to version 1.82.2, specifically in litellm/proxy/auth/user_api_key_auth.py (M2M JWT Handler). The flaw enables improper authorization via remote exploitation with high attack complexity; public PoC exists. SNYK detaails identify the vulnera...
CVE-2026-12798
CVE-2026-12798 affects BerriAI litellm up to 1.82.2, specifically the MCP OpenAPI Spec Loader’s load_openapi_spec_async function. The root cause is manipulation of the spec_path argument allowing server-side request forgery, which can be triggered remotely. The description notes that the exploit ...
CVE-2026-12797
Technical details about CVE-2026-12797 are not publicly available in the provided documents. Monitor for updates from official advisories and vendor notices to obtain affected products, vulnerable components, and remediation information.
CVE-2026-12796
Affected software/impact: BerriAI litellm (up to version 1.82.2), specifically the get_redirect_response_from_openid function in litellm/proxy/management_endpoints/ui_sso.py of the SSO Authentication Flow. Root cause / vulnerability detail: The description states that manipulation leads to sessio...
CVE-2026-59819
LiteLLM (proxy for LLM APIs) prior to 1.83.10-stable has a local file read risk via the /health/test_connection endpoint. A privileged caller (e.g., proxy administrator) could supply environment/oidc/file references in litellm_params to read arbitrary local files, exposing sensitive contents. The...
CVE-2026-59821
LiteLLM is a proxy/AI Gateway for LLM API calls. A vulnerability exists in production create/update paths of Custom Code Guardrails before version 1.82.0-stable, where sandboxing/validation was not applied consistently with the test endpoint, allowing a privileged user to submit custom Python cod...
CVE-2026-59820
LiteLLM is a proxy AI gateway. A path traversal flaw existed in LiteLLM Skills archive extraction prior to version 1.83.7-stable, where uploaded skill ZIPs could write outside the intended extraction directory when an authenticated user accessed LLM API routes or held a key with /v1/skills, anthr...