Lucene search
+L
LitellmLitellm

37 matches found

CVE
CVE
added 2026/05/08 3:38 a.m.413 views

CVE-2026-42208

LiteLLM proxy (AI Gateway) versions 1.81.16–1.83.6 suffer a SQL injection in the proxy API key verification path where the caller-supplied key is interpolated into a SQL query during error handling. An unauthenticated attacker can send a crafted Authorization header to LLM routes (e.g., POST /cha...

9.8CVSS6AI score0.86607EPSS
In wildWeb
CVE
CVE
added 2026/05/08 3:35 a.m.236 views

CVE-2026-42271

Summary: CVE-2026-42271 affects LiteLLM up to v1.83.7, where two MCP preview endpoints (POST /mcp-rest/test/connection and /tools/list) could spawn arbitrary commands via stdio transport when provided a full server config, restricted only by a valid API key. The subprocess ran with the proxy’s pr...

8.8CVSS6AI score0.80188EPSS
In wildWeb
CVE
CVE
added 2024/09/13 3:59 p.m.194 views

CVE-2024-6587

LiteLLM is affected by a Server-Side Request Forgery (SSRF) in the chat/completions endpoint. The vulnerability arises from using an attacker-controlled api_base, causing requests to be sent to an arbitrary domain and potentially exposing the OpenAI API key in the Authorization header. Affected v...

7.5CVSS7.4AI score0.37197EPSS
In wildWeb
CVE
CVE
added 2024/04/10 5:7 p.m.129 views

CVE-2024-2952

CVE-2024-2952 affects BerriAI/litellm. The vulnerability is an SSTI in the /completions endpoint: the hf_chat_template method processes the chat_template parameter from tokenizer_config.json using the Jinja template engine without proper sanitization, enabling attackers to craft malicious tokeniz...

9.8CVSS9.8AI score0.01256EPSS
Web
CVE
CVE
added 2025/03/20 10:9 a.m.98 views

CVE-2025-0330

The CVE-2025-0330 issue affects berriai/litellm v1.52.1, where a flaw in proxy_server.py leads to leakage of Langfuse API keys (langfuse_secret and langfuse_public_key) when parsing team settings. This reportedly grants full access to the Langfuse project storing all requests. Connected documents...

7.5CVSS7.5AI score0.00523EPSS
CVE
CVE
added 2025/03/20 10:9 a.m.97 views

CVE-2024-9606

CVE-2024-9606 — Improper API key masking in Litellm A vulnerability in berriai/litellm prior to 1.44.12 arises from the masking logic in litellm_logging.py, which only masks the first 5 characters of API keys. This allows leakage of most of the secret key in logs, as noted for version v1.44.9 and...

7.5CVSS7.1AI score0.00708EPSS
CVE
CVE
added 2024/06/06 6:23 p.m.94 views

CVE-2024-4890

The CVE-2024-4890 entry applies to the berriai/litellm project. A blind SQL injection exists in the /team/update flow due to improper handling of the user_id parameter in the raw SQL used to delete users, with affected version 1.27.14. Exploitation could yield unauthorized access to sensitive dat...

4.9CVSS5.4AI score0.0056EPSS
CVE
CVE
added 2026/04/06 4:35 p.m.93 views

CVE-2026-35029

CVE-2026-35029 affects LiteLLM, a proxy AI Gateway. The /config/update endpoint lacks admin authorization, allowing an authenticated user to modify proxy config and environment variables, register attacker-controlled Python code handlers, achieve remote code execution, read arbitrary server files...

8.8CVSS6.3AI score0.26409EPSS
CVE
CVE
added 2026/04/06 4:47 p.m.90 views

CVE-2026-35030

LiteLLM (proxy for LLM APIs) contains an authentication bypass flaw when JWT/OIDC authentication is enabled. The OIDC userinfo cache key is derived from the first 20 characters of the token, allowing an unauthenticated attacker to craft a token whose prefix matches a legitimate user’s cached toke...

9.4CVSS5.9AI score0.0049EPSS
Web
CVE
CVE
added 2026/06/21 3:15 a.m.84 views

CVE-2026-12773

Affected software: litellm MCP Proxy (BerriAI) up to version 1.59.8. The vulnerability lies in UserAPIKeyAuth in litellm/proxy/_experimental/mcp_server/auth/user_api_key_auth_mcp.py, where authentication can be bypassed if an invalid token triggers a swallowed 401/403 exception, allowing unauthen...

9.8CVSS6.7AI score0.00612EPSS
CVE
CVE
added 2026/06/21 3:45 a.m.81 views

CVE-2026-12774

CVE-2026-12774 affects BerriAI litellm up to 1.82.2. The vulnerability targets the function _execute_with_mcp_client in litellm/proxy/_experimental/mcp_server/rest_endpoints.py (MCP Server Connection Testing). It enables server‑side request forgery through manipulation of this component, with rem...

6.5CVSS6AI score0.00262EPSS
CVE
CVE
added 2026/06/22 8:37 p.m.80 views

CVE-2026-49468

LiteLLM is a proxy server (AI Gateway) for calling LLM APIs. A host-header parsing flaw could allow authentication bypass by making the auth gate evaluate a different route than dispatched, effectively bypassing access controls under specific conditions. The issue is mitigated by upgrading to 1.8...

9.8CVSS5.9AI score0.00559EPSS
CVE
CVE
added 2024/06/06 6:19 p.m.79 views

CVE-2024-5225

The CVE-2024-5225 issue affects litellm (LiteLLM) / berriai/litellm, specifically the /global/spend/logs endpoint, where the code builds an SQL query by directly concatenating an unvalidated api_key parameter. This SQL Injection vulnerability can lead to unauthorized access, data manipulation, ex...

7.2CVSS6.8AI score0.00429EPSS
Web
CVE
CVE
added 2025/03/20 10:9 a.m.75 views

CVE-2024-8984

The CVE-2024-8984 entry describes a Denial of Service vulnerability in berriai/litellm v1.44.5 caused by improper handling of multipart HTTP boundaries. An attacker can append characters to the boundary, triggering unbounded resource consumption and service unavailability. The issue is unauthenti...

7.5CVSS7.4AI score0.00792EPSS
CVE
CVE
added 2024/06/06 6:31 p.m.74 views

CVE-2024-4888

BerriAI’s litellm (latest version) is affected by CVE-2024-4888 due to improper input validation on the /audio/transcriptions endpoint. The code uses os.remove(file.filename) to delete a file, allowing an attacker to delete arbitrary server files (e.g., SSH keys, SQLite databases, configuration f...

8.1CVSS6.9AI score0.00614EPSS
CVE
CVE
added 2026/05/08 3:36 a.m.70 views

CVE-2026-42203

LiteLLM (proxy server) is affected from version 1.80.5 up to before 1.83.7 due to Server-Side Template Injection in the POST /prompts/test endpoint. The endpoint renders user-supplied prompt templates without sandboxing, enabling arbitrary code execution inside the LiteLLM Proxy process when auth...

8.8CVSS6AI score0.00373EPSS
Web
CVE
CVE
added 2024/06/06 5:53 p.m.63 views

CVE-2024-4889

CVE-2024-4889 affects berriai/litellm 1.34.6. The issue stems from unvalidated input in the secret management system’s eval function. When Google KMS is configured, an attacker can set UI_LOGO_PATH to a remote server in get_image, allowing writes to a malicious Google KMS configuration file at ca...

7.2CVSS7.2AI score0.00859EPSS
CVE
CVE
added 2026/03/23 9:47 p.m.63 views

CVE-2026-33634

CVE-2026-33634 is tied to a supply-chain compromise involving Aqua Security Trivy. Concrete details show: (1) affected items include Trivy binary/image v0.69.4, and GitHub Actions components aquasecurity/trivy-action (versions 0.0.1–0.34.2, 76/77 forced-pushed) and aquasecurity/setup-trivy (0.2.0...

9.4CVSS5.9AI score0.60368EPSS
In wild
CVE
CVE
added 2024/06/27 6:40 p.m.62 views

CVE-2024-5751

CVE-2024-5751 affects BerriAI/litellm v1.35.8. The vulnerability is in the add_deployment function, which base64-decodes and decrypts environment variables into os.environ; an attacker can trigger remote code execution by sending a malicious payload to /config/update, processed when get_secret ru...

9.8CVSS9.7AI score0.00875EPSS
Web
CVE
CVE
added 2024/06/27 6:41 p.m.57 views

CVE-2024-5710

CVE-2024-5710 affects berriai/litellm version 1.34.34. The issue is an improper access control in the Team Management feature, caused by insufficient access control checks across various endpoints. This enables unauthorized actors to perform actions such as creating, updating, viewing, deleting, ...

6.5CVSS5.5AI score0.00406EPSS
CVE
CVE
added 2025/03/20 10:11 a.m.57 views

CVE-2024-6825

CVE-2024-6825 affects litellm 1.40.12. The vulnerability lies in how the post_call_rules configuration is parsed: a callback can be set to a system method (for example os.system), with the final part treated as the function name and the rest imported as a Python module, enabling arbitrary command...

8.8CVSS9.1AI score0.01463EPSS
CVE
CVE
added 2026/06/21 10:0 a.m.54 views

CVE-2026-12799

The CVE-2026-12799 entry concerns BerriAI litellm up to version 1.82.2. The vulnerability affects the function ui_view_users in litellm/proxy/management_endpoints/internal_user_endpoints.py (component: Incomplete Fix CVE-2025-0628) and enables improper authorization. The issue can be exploited re...

5.3CVSS5.3AI score0.00288EPSS
CVE
CVE
added 2026/06/21 12:15 a.m.53 views

CVE-2026-12770

The CVE affects litellm (BerriAI) up to version 1.63.1, specifically the Admin Key Handler component and the file litellm/proxy/management_endpoints/key_management_endpoints.py. The root cause is improper authorization caused by manipulation within this endpoint, enabling a remote attacker to exp...

8.8CVSS5.5AI score0.00337EPSS
CVE
CVE
added 2026/05/21 8:34 p.m.53 views

CVE-2026-47102

LiteLLM is affected up to version 1.83.10. A vulnerability in the /user/update endpoint allows a user to modify their own user_role, potentially elevating to proxy_admin and gaining full administrative access to LiteLLM (including users, teams, keys, models, and prompt history). The flaw arises b...

8.8CVSS5.8AI score0.00653EPSS
CVE
CVE
added 2026/06/21 2:0 a.m.49 views

CVE-2026-12772

CVE-2026-12772 affects BerriAI litellm up to 1.82.2, impacting the authenticate_user path in litellm/proxy/auth/login_utils.py for the PROXY_ADMIN database API Key Generator. Description indicates that manipulating input can cause session expiration and that the issue can be exploited remotely; e...

6.5CVSS6.2AI score0.00262EPSS
CVE
CVE
added 2025/07/03 12:0 a.m.44 views

CVE-2025-45809

CVE-2025-45809 affects BerriAI litellm v1.65.4. The vulnerability is a SQL injection through the /key/block endpoint, enabling an attacker (proxy_admin_viewer) to brute-force files (PoC shows database read via pg_read_file and timing-based checks). The SNYK entry confirms the SQL injection and pr...

5.4CVSS6.1AI score0.00253EPSS
Web
CVE
CVE
added 2026/06/21 8:30 a.m.38 views

CVE-2026-12795

CVE-2026-12795 affects BerriAI litellm up to version 1.82.2 in the SSO Debug Flow component. The vulnerability concerns the function json.dumps within litellm/proxy/management_endpoints/ui_sso.py, where manipulation can lead to missing authentication. The issue is exploitable remotely and has had...

7.5CVSS6.7AI score0.00508EPSS
CVE
CVE
added 2026/07/08 7:32 p.m.32 views

CVE-2026-59822

LiteLLM (proxy server for LLM APIs)Prior to 1.84.0, LiteLLM’s MCP Streamable HTTP endpoint was vulnerable to an unauthenticated exploit where a fabricated Authorization header triggered an OAuth2 passthrough fallback. This path replaced failed LiteLLM key validation with an empty UserAPIKeyAuth()...

8.8CVSS6AI score0.00243EPSS
CVE
CVE
added 2026/04/10 1:43 p.m.30 views

CVE-2026-40217

LiteLLM (through 2026-04-08) is vulnerable to remote code execution via bytecode rewriting at /guardrails/test_custom_code. The CVSSv3.1 vector yields a high severity (8.8) with NETWORK attack, LOW privileges, no user interaction required. Affected component is unspecified beyond the URL vector; ...

8.8CVSS6.2AI score0.06496EPSS
Web
CVE
CVE
added 2026/05/21 8:33 p.m.30 views

CVE-2026-47101

LiteLLM prior to 1.83.14 is affected. An authenticated internal_user can generate API keys where allowed_routes may include admin-only routes, bypassing role-based access controls because the system does not verify that the requested routes fall within the creator’s permissions. This enables priv...

8.8CVSS5.8AI score0.00739EPSS
Web
CVE
CVE
added 2026/06/21 1:0 a.m.28 views

CVE-2026-12771

CVE-2026-12771 affects the litellm library by BerriAI up to version 1.82.2, specifically in litellm/proxy/auth/user_api_key_auth.py (M2M JWT Handler). The flaw enables improper authorization via remote exploitation with high attack complexity; public PoC exists. SNYK detaails identify the vulnera...

7.5CVSS5.3AI score0.00288EPSS
CVE
CVE
added 2026/06/21 9:30 a.m.28 views

CVE-2026-12798

CVE-2026-12798 affects BerriAI litellm up to 1.82.2, specifically the MCP OpenAPI Spec Loader’s load_openapi_spec_async function. The root cause is manipulation of the spec_path argument allowing server-side request forgery, which can be triggered remotely. The description notes that the exploit ...

6.5CVSS6.2AI score0.00262EPSS
CVE
CVE
added 2026/06/21 9:15 a.m.26 views

CVE-2026-12797

Technical details about CVE-2026-12797 are not publicly available in the provided documents. Monitor for updates from official advisories and vendor notices to obtain affected products, vulnerable components, and remediation information.

6.5CVSS6.1AI score0.00226EPSS
CVE
CVE
added 2026/06/21 9:0 a.m.24 views

CVE-2026-12796

Affected software/impact: BerriAI litellm (up to version 1.82.2), specifically the get_redirect_response_from_openid function in litellm/proxy/management_endpoints/ui_sso.py of the SSO Authentication Flow. Root cause / vulnerability detail: The description states that manipulation leads to sessio...

6.5CVSS6.2AI score0.00358EPSS
CVE
CVE
added 2026/07/08 7:33 p.m.12 views

CVE-2026-59819

LiteLLM (proxy for LLM APIs) prior to 1.83.10-stable has a local file read risk via the /health/test_connection endpoint. A privileged caller (e.g., proxy administrator) could supply environment/oidc/file references in litellm_params to read arbitrary local files, exposing sensitive contents. The...

4.9CVSS5.9AI score0.00258EPSS
Web
CVE
CVE
added 2026/07/08 7:14 p.m.7 views

CVE-2026-59821

LiteLLM is a proxy/AI Gateway for LLM API calls. A vulnerability exists in production create/update paths of Custom Code Guardrails before version 1.82.0-stable, where sandboxing/validation was not applied consistently with the test endpoint, allowing a privileged user to submit custom Python cod...

7.2CVSS6AI score0.00355EPSS
CVE
CVE
added 2026/07/08 7:32 p.m.5 views

CVE-2026-59820

LiteLLM is a proxy AI gateway. A path traversal flaw existed in LiteLLM Skills archive extraction prior to version 1.83.7-stable, where uploaded skill ZIPs could write outside the intended extraction directory when an authenticated user accessed LLM API routes or held a key with /v1/skills, anthr...

6.5CVSS5.9AI score0.00313EPSS
Web