Search criteria
18 vulnerabilities found for litellm by berriai
CVE-2026-47102 (GCVE-0-2026-47102)
Vulnerability from nvd – Published: 2026-05-21 20:34 – Updated: 2026-05-23 03:55 X_Open Source
VLAI
Title
LiteLLM < 1.83.10 Privilege Escalation via User Update
Summary
LiteLLM prior to 1.83.10 allows a user to modify their own user_role via the /user/update endpoint. While the endpoint correctly restricts users to updating only their own account, it does not restrict which fields may be changed. A user who can reach this endpoint can set their role to proxy_admin, gaining full administrative access to LiteLLM including all users, teams, keys, models, and prompt history. Users with the org_admin role have legitimate access to this endpoint and can exploit this vulnerability without chaining any additional flaw.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
7 references
| URL | Tags |
|---|---|
| https://gist.github.com/13ph03nix/9ec616e1fdc77b3… | technical-descriptionexploit |
| https://huntr.com/bounties/8e75edfb-ff05-4e63-bfc… | third-party-advisoryexploit |
| https://github.com/BerriAI/litellm/releases/tag/v… | release-notes |
| https://github.com/BerriAI/litellm/pull/25541 | issue-tracking |
| https://github.com/BerriAI/litellm/commit/e6f18ce… | patch |
| https://github.com/BerriAI/litellm/commit/128d32d… | patch |
| https://www.vulncheck.com/advisories/litellm-priv… | third-party-advisory |
Date Public
2026-04-27 00:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-47102",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-22T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-23T03:55:45.020Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "litellm",
"repo": "https://github.com/BerriAI/litellm",
"vendor": "BerriAI",
"versions": [
{
"lessThan": "1.83.10",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Fenix Qiao (aka 13ph03nix) from Obsidian Security"
}
],
"datePublic": "2026-04-27T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "LiteLLM prior to 1.83.10 allows a user to modify their own user_role via the /user/update endpoint. While the endpoint correctly restricts users to updating only their own account, it does not restrict which fields may be changed. A user who can reach this endpoint can set their role to proxy_admin, gaining full administrative access to LiteLLM including all users, teams, keys, models, and prompt history. Users with the org_admin role have legitimate access to this endpoint and can exploit this vulnerability without chaining any additional flaw."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-21T20:34:37.893Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"tags": [
"technical-description",
"exploit"
],
"url": "https://gist.github.com/13ph03nix/9ec616e1fdc77b3673509c60206e827f"
},
{
"tags": [
"third-party-advisory",
"exploit"
],
"url": "https://huntr.com/bounties/8e75edfb-ff05-4e63-bfca-2d93d03fb3b9"
},
{
"tags": [
"release-notes"
],
"url": "https://github.com/BerriAI/litellm/releases/tag/v1.83.10-stable"
},
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/BerriAI/litellm/pull/25541"
},
{
"tags": [
"patch"
],
"url": "https://github.com/BerriAI/litellm/commit/e6f18ce75b111c9b93dc15c72894cbdeb53177ce"
},
{
"tags": [
"patch"
],
"url": "https://github.com/BerriAI/litellm/commit/128d32d2494b759c5d15da3452452af4c6a34c01"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/litellm-privilege-escalation-via-user-update"
}
],
"source": {
"discovery": "EXTERNAL"
},
"tags": [
"x_open-source"
],
"title": "LiteLLM \u003c 1.83.10 Privilege Escalation via User Update",
"x_generator": {
"engine": "vulncheck"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2026-47102",
"datePublished": "2026-05-21T20:34:37.893Z",
"dateReserved": "2026-05-18T19:22:26.748Z",
"dateUpdated": "2026-05-23T03:55:45.020Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-47101 (GCVE-0-2026-47101)
Vulnerability from nvd – Published: 2026-05-21 20:33 – Updated: 2026-05-23 03:55 X_Open Source
VLAI
Title
LiteLLM < 1.83.14 Privilege Escalation via API Key Generation
Summary
LiteLLM prior to 1.83.14 allows an authenticated internal_user to create API keys with access to routes that their role does not permit. When generating a key, the allowed_routes field is stored without verifying that the specified routes fall within the user's own permissions. A key created with access to admin-only routes can then be used to reach those routes successfully, bypassing the role-based access controls that would otherwise block the request, enabling full privilege escalation from internal_user to proxy_admin.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
7 references
| URL | Tags |
|---|---|
| https://gist.github.com/13ph03nix/9ec616e1fdc77b3… | technical-descriptionexploit |
| https://huntr.com/bounties/8e75edfb-ff05-4e63-bfc… | third-party-advisoryexploit |
| https://github.com/BerriAI/litellm/releases/tag/v… | release-notes |
| https://github.com/BerriAI/litellm/commit/d910a95… | patch |
| https://github.com/BerriAI/litellm/commit/2220f30… | patch |
| https://github.com/BerriAI/litellm/commit/5190bd0… | patch |
| https://www.vulncheck.com/advisories/litellm-priv… | third-party-advisory |
Date Public
2026-04-27 00:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-47101",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-22T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-23T03:55:46.656Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "litellm",
"repo": "https://github.com/BerriAI/litellm",
"vendor": "BerriAI",
"versions": [
{
"lessThan": "1.83.14",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Fenix Qiao (aka 13ph03nix) from Obsidian Security"
}
],
"datePublic": "2026-04-27T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "LiteLLM prior to 1.83.14 allows an authenticated internal_user to create API keys with access to routes that their role does not permit. When generating a key, the allowed_routes field is stored without verifying that the specified routes fall within the user\u0027s own permissions. A key created with access to admin-only routes can then be used to reach those routes successfully, bypassing the role-based access controls that would otherwise block the request, enabling full privilege escalation from internal_user to proxy_admin."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-21T20:33:30.163Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"tags": [
"technical-description",
"exploit"
],
"url": "https://gist.github.com/13ph03nix/9ec616e1fdc77b3673509c60206e827f"
},
{
"tags": [
"third-party-advisory",
"exploit"
],
"url": "https://huntr.com/bounties/8e75edfb-ff05-4e63-bfca-2d93d03fb3b9"
},
{
"tags": [
"release-notes"
],
"url": "https://github.com/BerriAI/litellm/releases/tag/v1.83.14-stable"
},
{
"tags": [
"patch"
],
"url": "https://github.com/BerriAI/litellm/commit/d910a95661fce3cdd36f3b06c03ecf9c46c6457c"
},
{
"tags": [
"patch"
],
"url": "https://github.com/BerriAI/litellm/commit/2220f3076ac89bd2a2e3439acf57dcfbec2434c9"
},
{
"tags": [
"patch"
],
"url": "https://github.com/BerriAI/litellm/commit/5190bd07eb23a037745d86328096f54378f1614a"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/litellm-privilege-escalation-via-api-key-generation"
}
],
"source": {
"discovery": "EXTERNAL"
},
"tags": [
"x_open-source"
],
"title": "LiteLLM \u003c 1.83.14 Privilege Escalation via API Key Generation",
"x_generator": {
"engine": "vulncheck"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2026-47101",
"datePublished": "2026-05-21T20:33:30.163Z",
"dateReserved": "2026-05-18T19:22:26.748Z",
"dateUpdated": "2026-05-23T03:55:46.656Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-42271 (GCVE-0-2026-42271)
Vulnerability from nvd – Published: 2026-05-08 03:35 – Updated: 2026-05-09 03:55
VLAI
Title
LiteLLM: Authenticated command execution via MCP stdio test endpoints
Summary
LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. From version 1.74.2 to before version 1.83.7, two endpoints used to preview an MCP server before saving it — POST /mcp-rest/test/connection and POST /mcp-rest/test/tools/list — accepted a full server configuration in the request body, including the command, args, and env fields used by the stdio transport. When called with a stdio configuration, the endpoints attempted to connect, which spawned the supplied command as a subprocess on the proxy host with the privileges of the proxy process. The endpoints were gated only by a valid proxy API key, with no role check. Any authenticated user — including holders of low-privilege internal-user keys — could therefore run arbitrary commands on the host. This issue has been patched in version 1.83.7.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/BerriAI/litellm/security/advis… | x_refsource_CONFIRM |
| https://github.com/BerriAI/litellm/releases/tag/v… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-42271",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-08T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-09T03:55:48.638Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "litellm",
"vendor": "BerriAI",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.74.2, \u003c 1.83.7"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. From version 1.74.2 to before version 1.83.7, two endpoints used to preview an MCP server before saving it \u2014 POST /mcp-rest/test/connection and POST /mcp-rest/test/tools/list \u2014 accepted a full server configuration in the request body, including the command, args, and env fields used by the stdio transport. When called with a stdio configuration, the endpoints attempted to connect, which spawned the supplied command as a subprocess on the proxy host with the privileges of the proxy process. The endpoints were gated only by a valid proxy API key, with no role check. Any authenticated user \u2014 including holders of low-privilege internal-user keys \u2014 could therefore run arbitrary commands on the host. This issue has been patched in version 1.83.7."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-77",
"description": "CWE-77: Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-08T03:35:16.758Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/BerriAI/litellm/security/advisories/GHSA-v4p8-mg3p-g94g",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/BerriAI/litellm/security/advisories/GHSA-v4p8-mg3p-g94g"
},
{
"name": "https://github.com/BerriAI/litellm/releases/tag/v1.83.7-stable",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/BerriAI/litellm/releases/tag/v1.83.7-stable"
}
],
"source": {
"advisory": "GHSA-v4p8-mg3p-g94g",
"discovery": "UNKNOWN"
},
"title": "LiteLLM: Authenticated command execution via MCP stdio test endpoints"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-42271",
"datePublished": "2026-05-08T03:35:16.758Z",
"dateReserved": "2026-04-26T11:53:27.707Z",
"dateUpdated": "2026-05-09T03:55:48.638Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-42208 (GCVE-0-2026-42208)
Vulnerability from nvd – Published: 2026-05-08 03:38 – Updated: 2026-05-09 03:55
VLAI
CISA KEV
Title
LiteLLM: SQL injection in Proxy API key verification
Summary
LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. From version 1.81.16 to before version 1.83.7, a database query used during proxy API key checks mixed the caller-supplied key value into the query text instead of passing it as a separate parameter. An unauthenticated attacker could send a specially crafted Authorization header to any LLM API route (for example POST /chat/completions) and reach this query through the proxy's error-handling path. An attacker could read data from the proxy's database and may be able to modify it, leading to unauthorised access to the proxy and the credentials it manages. This issue has been patched in version 1.83.7.
Severity
SSVC
Exploitation: active
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/BerriAI/litellm/security/advis… | x_refsource_CONFIRM |
| https://github.com/BerriAI/litellm/releases/tag/v… | x_refsource_MISC |
| https://www.cisa.gov/known-exploited-vulnerabilit… | government-resource |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-42208",
"options": [
{
"Exploitation": "active"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-08T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
},
{
"other": {
"content": {
"dateAdded": "2026-05-08",
"reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-42208"
},
"type": "kev"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-09T03:55:45.157Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"government-resource"
],
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-42208"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-05-08T00:00:00.000Z",
"value": "CVE-2026-42208 added to CISA KEV"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "litellm",
"vendor": "BerriAI",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.81.16, \u003c 1.83.7"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. From version 1.81.16 to before version 1.83.7, a database query used during proxy API key checks mixed the caller-supplied key value into the query text instead of passing it as a separate parameter. An unauthenticated attacker could send a specially crafted Authorization header to any LLM API route (for example POST /chat/completions) and reach this query through the proxy\u0027s error-handling path. An attacker could read data from the proxy\u0027s database and may be able to modify it, leading to unauthorised access to the proxy and the credentials it manages. This issue has been patched in version 1.83.7."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-08T03:38:14.124Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/BerriAI/litellm/security/advisories/GHSA-r75f-5x8p-qvmc",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/BerriAI/litellm/security/advisories/GHSA-r75f-5x8p-qvmc"
},
{
"name": "https://github.com/BerriAI/litellm/releases/tag/v1.83.7-stable",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/BerriAI/litellm/releases/tag/v1.83.7-stable"
}
],
"source": {
"advisory": "GHSA-r75f-5x8p-qvmc",
"discovery": "UNKNOWN"
},
"title": "LiteLLM: SQL injection in Proxy API key verification"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-42208",
"datePublished": "2026-05-08T03:38:14.124Z",
"dateReserved": "2026-04-25T05:04:37.027Z",
"dateUpdated": "2026-05-09T03:55:45.157Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-42203 (GCVE-0-2026-42203)
Vulnerability from nvd – Published: 2026-05-08 03:36 – Updated: 2026-05-09 03:55
VLAI
Title
LiteLLM: Server-Side Template Injection in /prompts/test endpoint
Summary
LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. From version 1.80.5 to before version 1.83.7, the POST /prompts/test endpoint accepted user-supplied prompt templates and rendered them without sandboxing. A crafted template could run arbitrary code inside the LiteLLM Proxy process. The endpoint only checks that the caller presents a valid proxy API key, so any authenticated user could reach it. Depending on how the proxy is deployed, this could expose secrets in the process environment (such as provider API keys or database credentials) and allow commands to be run on the host. This issue has been patched in version 1.83.7.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-1336 - Improper Neutralization of Special Elements Used in a Template Engine
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/BerriAI/litellm/security/advis… | x_refsource_CONFIRM |
| https://github.com/BerriAI/litellm/releases/tag/v… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-42203",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-08T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-09T03:55:49.702Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "litellm",
"vendor": "BerriAI",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.80.5, \u003c 1.83.7"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. From version 1.80.5 to before version 1.83.7, the POST /prompts/test endpoint accepted user-supplied prompt templates and rendered them without sandboxing. A crafted template could run arbitrary code inside the LiteLLM Proxy process. The endpoint only checks that the caller presents a valid proxy API key, so any authenticated user could reach it. Depending on how the proxy is deployed, this could expose secrets in the process environment (such as provider API keys or database credentials) and allow commands to be run on the host. This issue has been patched in version 1.83.7."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1336",
"description": "CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-08T03:36:58.648Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/BerriAI/litellm/security/advisories/GHSA-xqmj-j6mv-4862",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/BerriAI/litellm/security/advisories/GHSA-xqmj-j6mv-4862"
},
{
"name": "https://github.com/BerriAI/litellm/releases/tag/v1.83.7-stable",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/BerriAI/litellm/releases/tag/v1.83.7-stable"
}
],
"source": {
"advisory": "GHSA-xqmj-j6mv-4862",
"discovery": "UNKNOWN"
},
"title": "LiteLLM: Server-Side Template Injection in /prompts/test endpoint"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-42203",
"datePublished": "2026-05-08T03:36:58.648Z",
"dateReserved": "2026-04-25T05:04:37.027Z",
"dateUpdated": "2026-05-09T03:55:49.702Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-40217 (GCVE-0-2026-40217)
Vulnerability from nvd – Published: 2026-04-10 13:43 – Updated: 2026-04-14 14:39
VLAI
Summary
LiteLLM through 2026-04-08 allows remote attackers to execute arbitrary code via bytecode rewriting at the /guardrails/test_custom_code URI.
Severity
8.8 (High)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-420 - Unprotected Alternate Channel
Assigner
References
1 reference
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-40217",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-14T14:38:35.553992Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-14T14:39:03.619Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "LiteLLM",
"vendor": "BerriAI",
"versions": [
{
"status": "affected",
"version": "bb0639701796218a3447160e55c0f1097446e4e6085df7dfd39f476d4143743f",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "LiteLLM through 2026-04-08 allows remote attackers to execute arbitrary code via bytecode rewriting at the /guardrails/test_custom_code URI."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-420",
"description": "CWE-420 Unprotected Alternate Channel",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-10T13:43:23.147Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://www.x41-dsec.de/lab/advisories/x41-2026-001-litellm/"
}
],
"x_generator": {
"engine": "CVE-Request-form 0.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2026-40217",
"datePublished": "2026-04-10T13:43:23.147Z",
"dateReserved": "2026-04-10T13:43:22.641Z",
"dateUpdated": "2026-04-14T14:39:03.619Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-35030 (GCVE-0-2026-35030)
Vulnerability from nvd – Published: 2026-04-06 16:47 – Updated: 2026-04-07 14:24
VLAI
Title
LiteLLM has an authentication bypass via OIDC userinfo cache key collision
Summary
LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. Prior to 1.83.0, when JWT authentication is enabled (enable_jwt_auth: true), the OIDC userinfo cache uses token[:20] as the cache key. JWT headers produced by the same signing algorithm generate identical first 20 characters. This configuration option is not enabled by default. Most instances are not affected. An unauthenticated attacker can craft a token whose first 20 characters match a legitimate user's cached token. On cache hit, the attacker inherits the legitimate user's identity and permissions. This affects deployments with JWT/OIDC authentication enabled. Fixed in v1.83.0.
Severity
9.1 (Critical)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-287 - Improper Authentication
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/BerriAI/litellm/security/advis… | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-35030",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-07T14:24:02.117235Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-07T14:24:34.782Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "litellm",
"vendor": "BerriAI",
"versions": [
{
"status": "affected",
"version": "\u003c 1.83.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. Prior to 1.83.0, when JWT authentication is enabled (enable_jwt_auth: true), the OIDC userinfo cache uses token[:20] as the cache key. JWT headers produced by the same signing algorithm generate identical first 20 characters. This configuration option is not enabled by default. Most instances are not affected. An unauthenticated attacker can craft a token whose first 20 characters match a legitimate user\u0027s cached token. On cache hit, the attacker inherits the legitimate user\u0027s identity and permissions. This affects deployments with JWT/OIDC authentication enabled. Fixed in v1.83.0."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 9.4,
"baseSeverity": "CRITICAL",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287: Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-06T16:47:02.065Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/BerriAI/litellm/security/advisories/GHSA-jjhc-v7c2-5hh6",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/BerriAI/litellm/security/advisories/GHSA-jjhc-v7c2-5hh6"
}
],
"source": {
"advisory": "GHSA-jjhc-v7c2-5hh6",
"discovery": "UNKNOWN"
},
"title": "LiteLLM has an authentication bypass via OIDC userinfo cache key collision"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-35030",
"datePublished": "2026-04-06T16:47:02.065Z",
"dateReserved": "2026-03-31T21:06:06.427Z",
"dateUpdated": "2026-04-07T14:24:34.782Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-35029 (GCVE-0-2026-35029)
Vulnerability from nvd – Published: 2026-04-06 16:35 – Updated: 2026-04-29 19:32
VLAI
Title
LiteLLM affected by privilege escalation via unrestricted proxy configuration endpoint
Summary
LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. Prior to 1.83.0, the /config/update endpoint does not enforce admin role authorization. A user who is already authenticated into the platform can then use this endpoint to modify proxy configuration and environment variables, register custom pass-through endpoint handlers pointing to attacker-controlled Python code, achieving remote code execution, read arbitrary server files by setting UI_LOGO_PATH and fetching via /get_image, and take over other privileged accounts by overwriting UI_USERNAME and UI_PASSWORD environment variables. Fixed in v1.83.0.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/BerriAI/litellm/security/advis… | x_refsource_CONFIRM |
| http://seclists.org/fulldisclosure/2026/Apr/17 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-35029",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-06T18:41:02.884913Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-06T18:41:19.672Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2026-04-29T19:32:18.471Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://seclists.org/fulldisclosure/2026/Apr/17"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "litellm",
"vendor": "BerriAI",
"versions": [
{
"status": "affected",
"version": "\u003c 1.83.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. Prior to 1.83.0, the /config/update endpoint does not enforce admin role authorization. A user who is already authenticated into the platform can then use this endpoint to modify proxy configuration and environment variables, register custom pass-through endpoint handlers pointing to attacker-controlled Python code, achieving remote code execution, read arbitrary server files by setting UI_LOGO_PATH and fetching via /get_image, and take over other privileged accounts by overwriting UI_USERNAME and UI_PASSWORD environment variables. Fixed in v1.83.0."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-06T16:45:25.830Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/BerriAI/litellm/security/advisories/GHSA-53mr-6c8q-9789",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/BerriAI/litellm/security/advisories/GHSA-53mr-6c8q-9789"
}
],
"source": {
"advisory": "GHSA-53mr-6c8q-9789",
"discovery": "UNKNOWN"
},
"title": "LiteLLM affected by privilege escalation via unrestricted proxy configuration endpoint"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-35029",
"datePublished": "2026-04-06T16:35:28.974Z",
"dateReserved": "2026-03-31T21:06:06.427Z",
"dateUpdated": "2026-04-29T19:32:18.471Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-33634 (GCVE-0-2026-33634)
Vulnerability from nvd – Published: 2026-03-23 21:47 – Updated: 2026-03-30 14:40
VLAI
CISA KEV
Title
Trivy ecosystem supply chain briefly compromised
Summary
Trivy is a security scanner. On March 19, 2026, a threat actor used compromised credentials to publish a malicious Trivy v0.69.4 release, force-push 76 of 77 version tags in `aquasecurity/trivy-action` to credential-stealing malware, and replace all 7 tags in `aquasecurity/setup-trivy` with malicious commits. This incident is a continuation of the supply chain attack that began in late February 2026. Following the initial disclosure on March 1, credential rotation was performed but was not atomic (not all credentials were revoked simultaneously). The attacker could have use a valid token to exfiltrate newly rotated secrets during the rotation window (which lasted a few days). This could have allowed the attacker to retain access and execute the March 19 attack. Affected components include the `aquasecurity/trivy` Go / Container image version 0.69.4, the `aquasecurity/trivy-action` GitHub Action versions 0.0.1 – 0.34.2 (76/77), and the`aquasecurity/setup-trivy` GitHub Action versions 0.2.0 – 0.2.6, prior to the recreation of 0.2.6 with a safe commit. Known safe versions include versions 0.69.2 and 0.69.3 of the Trivy binary, version 0.35.0 of trivy-action, and version 0.2.6 of setup-trivy. Additionally, take other mitigations to ensure the safety of secrets. If there is any possibility that a compromised version ran in one's environment, all secrets accessible to affected pipelines must be treated as exposed and rotated immediately. Check whether one's organization pulled or executed Trivy v0.69.4 from any source. Remove any affected artifacts immediately. Review all workflows using `aquasecurity/trivy-action` or `aquasecurity/setup-trivy`. Those who referenced a version tag rather than a full commit SHA should check workflow run logs from March 19–20, 2026 for signs of compromise. Look for repositories named `tpcp-docs` in one's GitHub organization. The presence of such a repository may indicate that the fallback exfiltration mechanism was triggered and secrets were successfully stolen. Pin GitHub Actions to full, immutable commit SHA hashes, don't use mutable version tags.
Severity
SSVC
Exploitation: active
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-506 - Embedded Malicious Code
Assigner
References
14 references
| URL | Tags |
|---|---|
| https://github.com/aquasecurity/trivy/security/ad… | x_refsource_CONFIRM |
| https://github.com/team-telnyx/telnyx-python/secu… | x_refsource_MISC |
| https://github.com/BerriAI/litellm/issues/24518 | x_refsource_MISC |
| https://docs.litellm.ai/blog/security-update-march-2026 | x_refsource_MISC |
| https://futuresearch.ai/blog/litellm-pypi-supply-… | x_refsource_MISC |
| https://github.com/aquasecurity/trivy/discussions/10425 | x_refsource_MISC |
| https://github.com/pypa/advisory-database/tree/ma… | x_refsource_MISC |
| https://inspector.pypi.io/project/litellm/1.82.7/… | x_refsource_MISC |
| https://inspector.pypi.io/project/litellm/1.82.8/… | x_refsource_MISC |
| https://www.wiz.io/blog/teampcp-attack-kics-githu… | x_refsource_MISC |
| https://rosesecurity.dev/2026/03/20/typosquatting… | exploit |
| https://www.microsoft.com/en-us/security/blog/202… | third-party-advisory |
| https://github.com/BerriAI/litellm/issues/24518#i… | third-party-advisory |
| https://www.cisa.gov/known-exploited-vulnerabilit… | government-resource |
Impacted products
5 products
| Vendor | Product | Version | |
|---|---|---|---|
| aquasecurity | setup-trivy |
Affected:
< 0.2.6
|
|
| aquasecurity | trivy-action |
Affected:
< 0.35.0
|
|
| aquasecurity | trivy |
Affected:
= 0.69.4
|
|
| BerriAI | LiteLLM |
Affected:
>= 1.82.7, <= 1.82.8
|
|
| team-telnyx | telnyx |
Affected:
>= 4.87.1, <= 4.87.2
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-33634",
"options": [
{
"Exploitation": "active"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-24T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
},
{
"other": {
"content": {
"dateAdded": "2026-03-26",
"reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-33634"
},
"type": "kev"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-27T03:55:31.422Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://rosesecurity.dev/2026/03/20/typosquatting-trivy.html"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.microsoft.com/en-us/security/blog/2026/03/24/detecting-investigating-defending-against-trivy-supply-chain-compromise/"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://github.com/BerriAI/litellm/issues/24518#issuecomment-4127436387"
},
{
"tags": [
"government-resource"
],
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-33634"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-03-26T00:00:00.000Z",
"value": "CVE-2026-33634 added to CISA KEV"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "setup-trivy",
"vendor": "aquasecurity",
"versions": [
{
"status": "affected",
"version": "\u003c 0.2.6"
}
]
},
{
"product": "trivy-action",
"vendor": "aquasecurity",
"versions": [
{
"status": "affected",
"version": "\u003c 0.35.0"
}
]
},
{
"product": "trivy",
"vendor": "aquasecurity",
"versions": [
{
"status": "affected",
"version": "= 0.69.4"
}
]
},
{
"product": "LiteLLM",
"vendor": "BerriAI",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.82.7, \u003c= 1.82.8"
}
]
},
{
"product": "telnyx",
"vendor": "team-telnyx",
"versions": [
{
"status": "affected",
"version": "\u003e= 4.87.1, \u003c= 4.87.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Trivy is a security scanner. On March 19, 2026, a threat actor used compromised credentials to publish a malicious Trivy v0.69.4 release, force-push 76 of 77 version tags in `aquasecurity/trivy-action` to credential-stealing malware, and replace all 7 tags in `aquasecurity/setup-trivy` with malicious commits. This incident is a continuation of the supply chain attack that began in late February 2026. Following the initial disclosure on March 1, credential rotation was performed but was not atomic (not all credentials were revoked simultaneously). The attacker could have use a valid token to exfiltrate newly rotated secrets during the rotation window (which lasted a few days). This could have allowed the attacker to retain access and execute the March 19 attack. Affected components include the `aquasecurity/trivy` Go / Container image version 0.69.4, the `aquasecurity/trivy-action` GitHub Action versions 0.0.1 \u2013 0.34.2 (76/77), and the`aquasecurity/setup-trivy` GitHub Action versions 0.2.0 \u2013 0.2.6, prior to the recreation of 0.2.6 with a safe commit. Known safe versions include versions 0.69.2 and 0.69.3 of the Trivy binary, version 0.35.0 of trivy-action, and version 0.2.6 of setup-trivy. Additionally, take other mitigations to ensure the safety of secrets. If there is any possibility that a compromised version ran in one\u0027s environment, all secrets accessible to affected pipelines must be treated as exposed and rotated immediately. Check whether one\u0027s organization pulled or executed Trivy v0.69.4 from any source. Remove any affected artifacts immediately. Review all workflows using `aquasecurity/trivy-action` or `aquasecurity/setup-trivy`. Those who referenced a version tag rather than a full commit SHA should check workflow run logs from March 19\u201320, 2026 for signs of compromise. Look for repositories named `tpcp-docs` in one\u0027s GitHub organization. The presence of such a repository may indicate that the fallback exfiltration mechanism was triggered and secrets were successfully stolen. Pin GitHub Actions to full, immutable commit SHA hashes, don\u0027t use mutable version tags."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.4,
"baseSeverity": "CRITICAL",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-506",
"description": "CWE-506: Embedded Malicious Code",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-30T14:40:28.027Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/aquasecurity/trivy/security/advisories/GHSA-69fq-xp46-6x23",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/aquasecurity/trivy/security/advisories/GHSA-69fq-xp46-6x23"
},
{
"name": "https://github.com/team-telnyx/telnyx-python/security/advisories/GHSA-955r-262c-33jc",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/team-telnyx/telnyx-python/security/advisories/GHSA-955r-262c-33jc"
},
{
"name": "https://github.com/BerriAI/litellm/issues/24518",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/BerriAI/litellm/issues/24518"
},
{
"name": "https://docs.litellm.ai/blog/security-update-march-2026",
"tags": [
"x_refsource_MISC"
],
"url": "https://docs.litellm.ai/blog/security-update-march-2026"
},
{
"name": "https://futuresearch.ai/blog/litellm-pypi-supply-chain-attack",
"tags": [
"x_refsource_MISC"
],
"url": "https://futuresearch.ai/blog/litellm-pypi-supply-chain-attack"
},
{
"name": "https://github.com/aquasecurity/trivy/discussions/10425",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/aquasecurity/trivy/discussions/10425"
},
{
"name": "https://github.com/pypa/advisory-database/tree/main/vulns/litellm/PYSEC-2026-2.yaml",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/litellm/PYSEC-2026-2.yaml"
},
{
"name": "https://inspector.pypi.io/project/litellm/1.82.7/packages/79/5f/b6998d42c6ccd32d36e12661f2734602e72a576d52a51f4245aef0b20b4d/litellm-1.82.7-py3-none-any.whl/litellm/proxy/proxy_server.py#line.130",
"tags": [
"x_refsource_MISC"
],
"url": "https://inspector.pypi.io/project/litellm/1.82.7/packages/79/5f/b6998d42c6ccd32d36e12661f2734602e72a576d52a51f4245aef0b20b4d/litellm-1.82.7-py3-none-any.whl/litellm/proxy/proxy_server.py#line.130"
},
{
"name": "https://inspector.pypi.io/project/litellm/1.82.8/packages/f6/2c/731b614e6cee0bca1e010a36fd381fba69ee836fe3cb6753ba23ef2b9601/litellm-1.82.8.tar.gz/litellm-1.82.8/litellm_init.pth#line.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://inspector.pypi.io/project/litellm/1.82.8/packages/f6/2c/731b614e6cee0bca1e010a36fd381fba69ee836fe3cb6753ba23ef2b9601/litellm-1.82.8.tar.gz/litellm-1.82.8/litellm_init.pth#line.1"
},
{
"name": "https://www.wiz.io/blog/teampcp-attack-kics-github-action",
"tags": [
"x_refsource_MISC"
],
"url": "https://www.wiz.io/blog/teampcp-attack-kics-github-action"
}
],
"source": {
"advisory": "GHSA-69fq-xp46-6x23",
"discovery": "UNKNOWN"
},
"title": "Trivy ecosystem supply chain briefly compromised"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-33634",
"datePublished": "2026-03-23T21:47:29.636Z",
"dateReserved": "2026-03-23T14:24:11.619Z",
"dateUpdated": "2026-03-30T14:40:28.027Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-47102 (GCVE-0-2026-47102)
Vulnerability from cvelistv5 – Published: 2026-05-21 20:34 – Updated: 2026-05-23 03:55 X_Open Source
VLAI
Title
LiteLLM < 1.83.10 Privilege Escalation via User Update
Summary
LiteLLM prior to 1.83.10 allows a user to modify their own user_role via the /user/update endpoint. While the endpoint correctly restricts users to updating only their own account, it does not restrict which fields may be changed. A user who can reach this endpoint can set their role to proxy_admin, gaining full administrative access to LiteLLM including all users, teams, keys, models, and prompt history. Users with the org_admin role have legitimate access to this endpoint and can exploit this vulnerability without chaining any additional flaw.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
7 references
| URL | Tags |
|---|---|
| https://gist.github.com/13ph03nix/9ec616e1fdc77b3… | technical-descriptionexploit |
| https://huntr.com/bounties/8e75edfb-ff05-4e63-bfc… | third-party-advisoryexploit |
| https://github.com/BerriAI/litellm/releases/tag/v… | release-notes |
| https://github.com/BerriAI/litellm/pull/25541 | issue-tracking |
| https://github.com/BerriAI/litellm/commit/e6f18ce… | patch |
| https://github.com/BerriAI/litellm/commit/128d32d… | patch |
| https://www.vulncheck.com/advisories/litellm-priv… | third-party-advisory |
Date Public
2026-04-27 00:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-47102",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-22T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-23T03:55:45.020Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "litellm",
"repo": "https://github.com/BerriAI/litellm",
"vendor": "BerriAI",
"versions": [
{
"lessThan": "1.83.10",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Fenix Qiao (aka 13ph03nix) from Obsidian Security"
}
],
"datePublic": "2026-04-27T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "LiteLLM prior to 1.83.10 allows a user to modify their own user_role via the /user/update endpoint. While the endpoint correctly restricts users to updating only their own account, it does not restrict which fields may be changed. A user who can reach this endpoint can set their role to proxy_admin, gaining full administrative access to LiteLLM including all users, teams, keys, models, and prompt history. Users with the org_admin role have legitimate access to this endpoint and can exploit this vulnerability without chaining any additional flaw."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-21T20:34:37.893Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"tags": [
"technical-description",
"exploit"
],
"url": "https://gist.github.com/13ph03nix/9ec616e1fdc77b3673509c60206e827f"
},
{
"tags": [
"third-party-advisory",
"exploit"
],
"url": "https://huntr.com/bounties/8e75edfb-ff05-4e63-bfca-2d93d03fb3b9"
},
{
"tags": [
"release-notes"
],
"url": "https://github.com/BerriAI/litellm/releases/tag/v1.83.10-stable"
},
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/BerriAI/litellm/pull/25541"
},
{
"tags": [
"patch"
],
"url": "https://github.com/BerriAI/litellm/commit/e6f18ce75b111c9b93dc15c72894cbdeb53177ce"
},
{
"tags": [
"patch"
],
"url": "https://github.com/BerriAI/litellm/commit/128d32d2494b759c5d15da3452452af4c6a34c01"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/litellm-privilege-escalation-via-user-update"
}
],
"source": {
"discovery": "EXTERNAL"
},
"tags": [
"x_open-source"
],
"title": "LiteLLM \u003c 1.83.10 Privilege Escalation via User Update",
"x_generator": {
"engine": "vulncheck"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2026-47102",
"datePublished": "2026-05-21T20:34:37.893Z",
"dateReserved": "2026-05-18T19:22:26.748Z",
"dateUpdated": "2026-05-23T03:55:45.020Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-47101 (GCVE-0-2026-47101)
Vulnerability from cvelistv5 – Published: 2026-05-21 20:33 – Updated: 2026-05-23 03:55 X_Open Source
VLAI
Title
LiteLLM < 1.83.14 Privilege Escalation via API Key Generation
Summary
LiteLLM prior to 1.83.14 allows an authenticated internal_user to create API keys with access to routes that their role does not permit. When generating a key, the allowed_routes field is stored without verifying that the specified routes fall within the user's own permissions. A key created with access to admin-only routes can then be used to reach those routes successfully, bypassing the role-based access controls that would otherwise block the request, enabling full privilege escalation from internal_user to proxy_admin.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
7 references
| URL | Tags |
|---|---|
| https://gist.github.com/13ph03nix/9ec616e1fdc77b3… | technical-descriptionexploit |
| https://huntr.com/bounties/8e75edfb-ff05-4e63-bfc… | third-party-advisoryexploit |
| https://github.com/BerriAI/litellm/releases/tag/v… | release-notes |
| https://github.com/BerriAI/litellm/commit/d910a95… | patch |
| https://github.com/BerriAI/litellm/commit/2220f30… | patch |
| https://github.com/BerriAI/litellm/commit/5190bd0… | patch |
| https://www.vulncheck.com/advisories/litellm-priv… | third-party-advisory |
Date Public
2026-04-27 00:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-47101",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-22T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-23T03:55:46.656Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "litellm",
"repo": "https://github.com/BerriAI/litellm",
"vendor": "BerriAI",
"versions": [
{
"lessThan": "1.83.14",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Fenix Qiao (aka 13ph03nix) from Obsidian Security"
}
],
"datePublic": "2026-04-27T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "LiteLLM prior to 1.83.14 allows an authenticated internal_user to create API keys with access to routes that their role does not permit. When generating a key, the allowed_routes field is stored without verifying that the specified routes fall within the user\u0027s own permissions. A key created with access to admin-only routes can then be used to reach those routes successfully, bypassing the role-based access controls that would otherwise block the request, enabling full privilege escalation from internal_user to proxy_admin."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-21T20:33:30.163Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"tags": [
"technical-description",
"exploit"
],
"url": "https://gist.github.com/13ph03nix/9ec616e1fdc77b3673509c60206e827f"
},
{
"tags": [
"third-party-advisory",
"exploit"
],
"url": "https://huntr.com/bounties/8e75edfb-ff05-4e63-bfca-2d93d03fb3b9"
},
{
"tags": [
"release-notes"
],
"url": "https://github.com/BerriAI/litellm/releases/tag/v1.83.14-stable"
},
{
"tags": [
"patch"
],
"url": "https://github.com/BerriAI/litellm/commit/d910a95661fce3cdd36f3b06c03ecf9c46c6457c"
},
{
"tags": [
"patch"
],
"url": "https://github.com/BerriAI/litellm/commit/2220f3076ac89bd2a2e3439acf57dcfbec2434c9"
},
{
"tags": [
"patch"
],
"url": "https://github.com/BerriAI/litellm/commit/5190bd07eb23a037745d86328096f54378f1614a"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/litellm-privilege-escalation-via-api-key-generation"
}
],
"source": {
"discovery": "EXTERNAL"
},
"tags": [
"x_open-source"
],
"title": "LiteLLM \u003c 1.83.14 Privilege Escalation via API Key Generation",
"x_generator": {
"engine": "vulncheck"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2026-47101",
"datePublished": "2026-05-21T20:33:30.163Z",
"dateReserved": "2026-05-18T19:22:26.748Z",
"dateUpdated": "2026-05-23T03:55:46.656Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-42208 (GCVE-0-2026-42208)
Vulnerability from cvelistv5 – Published: 2026-05-08 03:38 – Updated: 2026-05-09 03:55
VLAI
CISA KEV
Title
LiteLLM: SQL injection in Proxy API key verification
Summary
LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. From version 1.81.16 to before version 1.83.7, a database query used during proxy API key checks mixed the caller-supplied key value into the query text instead of passing it as a separate parameter. An unauthenticated attacker could send a specially crafted Authorization header to any LLM API route (for example POST /chat/completions) and reach this query through the proxy's error-handling path. An attacker could read data from the proxy's database and may be able to modify it, leading to unauthorised access to the proxy and the credentials it manages. This issue has been patched in version 1.83.7.
Severity
SSVC
Exploitation: active
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/BerriAI/litellm/security/advis… | x_refsource_CONFIRM |
| https://github.com/BerriAI/litellm/releases/tag/v… | x_refsource_MISC |
| https://www.cisa.gov/known-exploited-vulnerabilit… | government-resource |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-42208",
"options": [
{
"Exploitation": "active"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-08T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
},
{
"other": {
"content": {
"dateAdded": "2026-05-08",
"reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-42208"
},
"type": "kev"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-09T03:55:45.157Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"government-resource"
],
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-42208"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-05-08T00:00:00.000Z",
"value": "CVE-2026-42208 added to CISA KEV"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "litellm",
"vendor": "BerriAI",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.81.16, \u003c 1.83.7"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. From version 1.81.16 to before version 1.83.7, a database query used during proxy API key checks mixed the caller-supplied key value into the query text instead of passing it as a separate parameter. An unauthenticated attacker could send a specially crafted Authorization header to any LLM API route (for example POST /chat/completions) and reach this query through the proxy\u0027s error-handling path. An attacker could read data from the proxy\u0027s database and may be able to modify it, leading to unauthorised access to the proxy and the credentials it manages. This issue has been patched in version 1.83.7."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-08T03:38:14.124Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/BerriAI/litellm/security/advisories/GHSA-r75f-5x8p-qvmc",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/BerriAI/litellm/security/advisories/GHSA-r75f-5x8p-qvmc"
},
{
"name": "https://github.com/BerriAI/litellm/releases/tag/v1.83.7-stable",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/BerriAI/litellm/releases/tag/v1.83.7-stable"
}
],
"source": {
"advisory": "GHSA-r75f-5x8p-qvmc",
"discovery": "UNKNOWN"
},
"title": "LiteLLM: SQL injection in Proxy API key verification"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-42208",
"datePublished": "2026-05-08T03:38:14.124Z",
"dateReserved": "2026-04-25T05:04:37.027Z",
"dateUpdated": "2026-05-09T03:55:45.157Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-42203 (GCVE-0-2026-42203)
Vulnerability from cvelistv5 – Published: 2026-05-08 03:36 – Updated: 2026-05-09 03:55
VLAI
Title
LiteLLM: Server-Side Template Injection in /prompts/test endpoint
Summary
LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. From version 1.80.5 to before version 1.83.7, the POST /prompts/test endpoint accepted user-supplied prompt templates and rendered them without sandboxing. A crafted template could run arbitrary code inside the LiteLLM Proxy process. The endpoint only checks that the caller presents a valid proxy API key, so any authenticated user could reach it. Depending on how the proxy is deployed, this could expose secrets in the process environment (such as provider API keys or database credentials) and allow commands to be run on the host. This issue has been patched in version 1.83.7.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-1336 - Improper Neutralization of Special Elements Used in a Template Engine
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/BerriAI/litellm/security/advis… | x_refsource_CONFIRM |
| https://github.com/BerriAI/litellm/releases/tag/v… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-42203",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-08T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-09T03:55:49.702Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "litellm",
"vendor": "BerriAI",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.80.5, \u003c 1.83.7"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. From version 1.80.5 to before version 1.83.7, the POST /prompts/test endpoint accepted user-supplied prompt templates and rendered them without sandboxing. A crafted template could run arbitrary code inside the LiteLLM Proxy process. The endpoint only checks that the caller presents a valid proxy API key, so any authenticated user could reach it. Depending on how the proxy is deployed, this could expose secrets in the process environment (such as provider API keys or database credentials) and allow commands to be run on the host. This issue has been patched in version 1.83.7."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1336",
"description": "CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-08T03:36:58.648Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/BerriAI/litellm/security/advisories/GHSA-xqmj-j6mv-4862",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/BerriAI/litellm/security/advisories/GHSA-xqmj-j6mv-4862"
},
{
"name": "https://github.com/BerriAI/litellm/releases/tag/v1.83.7-stable",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/BerriAI/litellm/releases/tag/v1.83.7-stable"
}
],
"source": {
"advisory": "GHSA-xqmj-j6mv-4862",
"discovery": "UNKNOWN"
},
"title": "LiteLLM: Server-Side Template Injection in /prompts/test endpoint"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-42203",
"datePublished": "2026-05-08T03:36:58.648Z",
"dateReserved": "2026-04-25T05:04:37.027Z",
"dateUpdated": "2026-05-09T03:55:49.702Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-42271 (GCVE-0-2026-42271)
Vulnerability from cvelistv5 – Published: 2026-05-08 03:35 – Updated: 2026-05-09 03:55
VLAI
Title
LiteLLM: Authenticated command execution via MCP stdio test endpoints
Summary
LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. From version 1.74.2 to before version 1.83.7, two endpoints used to preview an MCP server before saving it — POST /mcp-rest/test/connection and POST /mcp-rest/test/tools/list — accepted a full server configuration in the request body, including the command, args, and env fields used by the stdio transport. When called with a stdio configuration, the endpoints attempted to connect, which spawned the supplied command as a subprocess on the proxy host with the privileges of the proxy process. The endpoints were gated only by a valid proxy API key, with no role check. Any authenticated user — including holders of low-privilege internal-user keys — could therefore run arbitrary commands on the host. This issue has been patched in version 1.83.7.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/BerriAI/litellm/security/advis… | x_refsource_CONFIRM |
| https://github.com/BerriAI/litellm/releases/tag/v… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-42271",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-08T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-09T03:55:48.638Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "litellm",
"vendor": "BerriAI",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.74.2, \u003c 1.83.7"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. From version 1.74.2 to before version 1.83.7, two endpoints used to preview an MCP server before saving it \u2014 POST /mcp-rest/test/connection and POST /mcp-rest/test/tools/list \u2014 accepted a full server configuration in the request body, including the command, args, and env fields used by the stdio transport. When called with a stdio configuration, the endpoints attempted to connect, which spawned the supplied command as a subprocess on the proxy host with the privileges of the proxy process. The endpoints were gated only by a valid proxy API key, with no role check. Any authenticated user \u2014 including holders of low-privilege internal-user keys \u2014 could therefore run arbitrary commands on the host. This issue has been patched in version 1.83.7."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-77",
"description": "CWE-77: Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-08T03:35:16.758Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/BerriAI/litellm/security/advisories/GHSA-v4p8-mg3p-g94g",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/BerriAI/litellm/security/advisories/GHSA-v4p8-mg3p-g94g"
},
{
"name": "https://github.com/BerriAI/litellm/releases/tag/v1.83.7-stable",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/BerriAI/litellm/releases/tag/v1.83.7-stable"
}
],
"source": {
"advisory": "GHSA-v4p8-mg3p-g94g",
"discovery": "UNKNOWN"
},
"title": "LiteLLM: Authenticated command execution via MCP stdio test endpoints"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-42271",
"datePublished": "2026-05-08T03:35:16.758Z",
"dateReserved": "2026-04-26T11:53:27.707Z",
"dateUpdated": "2026-05-09T03:55:48.638Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-40217 (GCVE-0-2026-40217)
Vulnerability from cvelistv5 – Published: 2026-04-10 13:43 – Updated: 2026-04-14 14:39
VLAI
Summary
LiteLLM through 2026-04-08 allows remote attackers to execute arbitrary code via bytecode rewriting at the /guardrails/test_custom_code URI.
Severity
8.8 (High)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-420 - Unprotected Alternate Channel
Assigner
References
1 reference
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-40217",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-14T14:38:35.553992Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-14T14:39:03.619Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "LiteLLM",
"vendor": "BerriAI",
"versions": [
{
"status": "affected",
"version": "bb0639701796218a3447160e55c0f1097446e4e6085df7dfd39f476d4143743f",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "LiteLLM through 2026-04-08 allows remote attackers to execute arbitrary code via bytecode rewriting at the /guardrails/test_custom_code URI."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-420",
"description": "CWE-420 Unprotected Alternate Channel",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-10T13:43:23.147Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://www.x41-dsec.de/lab/advisories/x41-2026-001-litellm/"
}
],
"x_generator": {
"engine": "CVE-Request-form 0.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2026-40217",
"datePublished": "2026-04-10T13:43:23.147Z",
"dateReserved": "2026-04-10T13:43:22.641Z",
"dateUpdated": "2026-04-14T14:39:03.619Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-35030 (GCVE-0-2026-35030)
Vulnerability from cvelistv5 – Published: 2026-04-06 16:47 – Updated: 2026-04-07 14:24
VLAI
Title
LiteLLM has an authentication bypass via OIDC userinfo cache key collision
Summary
LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. Prior to 1.83.0, when JWT authentication is enabled (enable_jwt_auth: true), the OIDC userinfo cache uses token[:20] as the cache key. JWT headers produced by the same signing algorithm generate identical first 20 characters. This configuration option is not enabled by default. Most instances are not affected. An unauthenticated attacker can craft a token whose first 20 characters match a legitimate user's cached token. On cache hit, the attacker inherits the legitimate user's identity and permissions. This affects deployments with JWT/OIDC authentication enabled. Fixed in v1.83.0.
Severity
9.1 (Critical)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-287 - Improper Authentication
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/BerriAI/litellm/security/advis… | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-35030",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-07T14:24:02.117235Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-07T14:24:34.782Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "litellm",
"vendor": "BerriAI",
"versions": [
{
"status": "affected",
"version": "\u003c 1.83.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. Prior to 1.83.0, when JWT authentication is enabled (enable_jwt_auth: true), the OIDC userinfo cache uses token[:20] as the cache key. JWT headers produced by the same signing algorithm generate identical first 20 characters. This configuration option is not enabled by default. Most instances are not affected. An unauthenticated attacker can craft a token whose first 20 characters match a legitimate user\u0027s cached token. On cache hit, the attacker inherits the legitimate user\u0027s identity and permissions. This affects deployments with JWT/OIDC authentication enabled. Fixed in v1.83.0."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 9.4,
"baseSeverity": "CRITICAL",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287: Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-06T16:47:02.065Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/BerriAI/litellm/security/advisories/GHSA-jjhc-v7c2-5hh6",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/BerriAI/litellm/security/advisories/GHSA-jjhc-v7c2-5hh6"
}
],
"source": {
"advisory": "GHSA-jjhc-v7c2-5hh6",
"discovery": "UNKNOWN"
},
"title": "LiteLLM has an authentication bypass via OIDC userinfo cache key collision"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-35030",
"datePublished": "2026-04-06T16:47:02.065Z",
"dateReserved": "2026-03-31T21:06:06.427Z",
"dateUpdated": "2026-04-07T14:24:34.782Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-35029 (GCVE-0-2026-35029)
Vulnerability from cvelistv5 – Published: 2026-04-06 16:35 – Updated: 2026-04-29 19:32
VLAI
Title
LiteLLM affected by privilege escalation via unrestricted proxy configuration endpoint
Summary
LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. Prior to 1.83.0, the /config/update endpoint does not enforce admin role authorization. A user who is already authenticated into the platform can then use this endpoint to modify proxy configuration and environment variables, register custom pass-through endpoint handlers pointing to attacker-controlled Python code, achieving remote code execution, read arbitrary server files by setting UI_LOGO_PATH and fetching via /get_image, and take over other privileged accounts by overwriting UI_USERNAME and UI_PASSWORD environment variables. Fixed in v1.83.0.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/BerriAI/litellm/security/advis… | x_refsource_CONFIRM |
| http://seclists.org/fulldisclosure/2026/Apr/17 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-35029",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-06T18:41:02.884913Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-06T18:41:19.672Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2026-04-29T19:32:18.471Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://seclists.org/fulldisclosure/2026/Apr/17"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "litellm",
"vendor": "BerriAI",
"versions": [
{
"status": "affected",
"version": "\u003c 1.83.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. Prior to 1.83.0, the /config/update endpoint does not enforce admin role authorization. A user who is already authenticated into the platform can then use this endpoint to modify proxy configuration and environment variables, register custom pass-through endpoint handlers pointing to attacker-controlled Python code, achieving remote code execution, read arbitrary server files by setting UI_LOGO_PATH and fetching via /get_image, and take over other privileged accounts by overwriting UI_USERNAME and UI_PASSWORD environment variables. Fixed in v1.83.0."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-06T16:45:25.830Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/BerriAI/litellm/security/advisories/GHSA-53mr-6c8q-9789",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/BerriAI/litellm/security/advisories/GHSA-53mr-6c8q-9789"
}
],
"source": {
"advisory": "GHSA-53mr-6c8q-9789",
"discovery": "UNKNOWN"
},
"title": "LiteLLM affected by privilege escalation via unrestricted proxy configuration endpoint"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-35029",
"datePublished": "2026-04-06T16:35:28.974Z",
"dateReserved": "2026-03-31T21:06:06.427Z",
"dateUpdated": "2026-04-29T19:32:18.471Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-33634 (GCVE-0-2026-33634)
Vulnerability from cvelistv5 – Published: 2026-03-23 21:47 – Updated: 2026-03-30 14:40
VLAI
CISA KEV
Title
Trivy ecosystem supply chain briefly compromised
Summary
Trivy is a security scanner. On March 19, 2026, a threat actor used compromised credentials to publish a malicious Trivy v0.69.4 release, force-push 76 of 77 version tags in `aquasecurity/trivy-action` to credential-stealing malware, and replace all 7 tags in `aquasecurity/setup-trivy` with malicious commits. This incident is a continuation of the supply chain attack that began in late February 2026. Following the initial disclosure on March 1, credential rotation was performed but was not atomic (not all credentials were revoked simultaneously). The attacker could have use a valid token to exfiltrate newly rotated secrets during the rotation window (which lasted a few days). This could have allowed the attacker to retain access and execute the March 19 attack. Affected components include the `aquasecurity/trivy` Go / Container image version 0.69.4, the `aquasecurity/trivy-action` GitHub Action versions 0.0.1 – 0.34.2 (76/77), and the`aquasecurity/setup-trivy` GitHub Action versions 0.2.0 – 0.2.6, prior to the recreation of 0.2.6 with a safe commit. Known safe versions include versions 0.69.2 and 0.69.3 of the Trivy binary, version 0.35.0 of trivy-action, and version 0.2.6 of setup-trivy. Additionally, take other mitigations to ensure the safety of secrets. If there is any possibility that a compromised version ran in one's environment, all secrets accessible to affected pipelines must be treated as exposed and rotated immediately. Check whether one's organization pulled or executed Trivy v0.69.4 from any source. Remove any affected artifacts immediately. Review all workflows using `aquasecurity/trivy-action` or `aquasecurity/setup-trivy`. Those who referenced a version tag rather than a full commit SHA should check workflow run logs from March 19–20, 2026 for signs of compromise. Look for repositories named `tpcp-docs` in one's GitHub organization. The presence of such a repository may indicate that the fallback exfiltration mechanism was triggered and secrets were successfully stolen. Pin GitHub Actions to full, immutable commit SHA hashes, don't use mutable version tags.
Severity
SSVC
Exploitation: active
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-506 - Embedded Malicious Code
Assigner
References
14 references
| URL | Tags |
|---|---|
| https://github.com/aquasecurity/trivy/security/ad… | x_refsource_CONFIRM |
| https://github.com/team-telnyx/telnyx-python/secu… | x_refsource_MISC |
| https://github.com/BerriAI/litellm/issues/24518 | x_refsource_MISC |
| https://docs.litellm.ai/blog/security-update-march-2026 | x_refsource_MISC |
| https://futuresearch.ai/blog/litellm-pypi-supply-… | x_refsource_MISC |
| https://github.com/aquasecurity/trivy/discussions/10425 | x_refsource_MISC |
| https://github.com/pypa/advisory-database/tree/ma… | x_refsource_MISC |
| https://inspector.pypi.io/project/litellm/1.82.7/… | x_refsource_MISC |
| https://inspector.pypi.io/project/litellm/1.82.8/… | x_refsource_MISC |
| https://www.wiz.io/blog/teampcp-attack-kics-githu… | x_refsource_MISC |
| https://rosesecurity.dev/2026/03/20/typosquatting… | exploit |
| https://www.microsoft.com/en-us/security/blog/202… | third-party-advisory |
| https://github.com/BerriAI/litellm/issues/24518#i… | third-party-advisory |
| https://www.cisa.gov/known-exploited-vulnerabilit… | government-resource |
Impacted products
5 products
| Vendor | Product | Version | |
|---|---|---|---|
| aquasecurity | setup-trivy |
Affected:
< 0.2.6
|
|
| aquasecurity | trivy-action |
Affected:
< 0.35.0
|
|
| aquasecurity | trivy |
Affected:
= 0.69.4
|
|
| BerriAI | LiteLLM |
Affected:
>= 1.82.7, <= 1.82.8
|
|
| team-telnyx | telnyx |
Affected:
>= 4.87.1, <= 4.87.2
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-33634",
"options": [
{
"Exploitation": "active"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-24T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
},
{
"other": {
"content": {
"dateAdded": "2026-03-26",
"reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-33634"
},
"type": "kev"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-27T03:55:31.422Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://rosesecurity.dev/2026/03/20/typosquatting-trivy.html"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.microsoft.com/en-us/security/blog/2026/03/24/detecting-investigating-defending-against-trivy-supply-chain-compromise/"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://github.com/BerriAI/litellm/issues/24518#issuecomment-4127436387"
},
{
"tags": [
"government-resource"
],
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-33634"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-03-26T00:00:00.000Z",
"value": "CVE-2026-33634 added to CISA KEV"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "setup-trivy",
"vendor": "aquasecurity",
"versions": [
{
"status": "affected",
"version": "\u003c 0.2.6"
}
]
},
{
"product": "trivy-action",
"vendor": "aquasecurity",
"versions": [
{
"status": "affected",
"version": "\u003c 0.35.0"
}
]
},
{
"product": "trivy",
"vendor": "aquasecurity",
"versions": [
{
"status": "affected",
"version": "= 0.69.4"
}
]
},
{
"product": "LiteLLM",
"vendor": "BerriAI",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.82.7, \u003c= 1.82.8"
}
]
},
{
"product": "telnyx",
"vendor": "team-telnyx",
"versions": [
{
"status": "affected",
"version": "\u003e= 4.87.1, \u003c= 4.87.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Trivy is a security scanner. On March 19, 2026, a threat actor used compromised credentials to publish a malicious Trivy v0.69.4 release, force-push 76 of 77 version tags in `aquasecurity/trivy-action` to credential-stealing malware, and replace all 7 tags in `aquasecurity/setup-trivy` with malicious commits. This incident is a continuation of the supply chain attack that began in late February 2026. Following the initial disclosure on March 1, credential rotation was performed but was not atomic (not all credentials were revoked simultaneously). The attacker could have use a valid token to exfiltrate newly rotated secrets during the rotation window (which lasted a few days). This could have allowed the attacker to retain access and execute the March 19 attack. Affected components include the `aquasecurity/trivy` Go / Container image version 0.69.4, the `aquasecurity/trivy-action` GitHub Action versions 0.0.1 \u2013 0.34.2 (76/77), and the`aquasecurity/setup-trivy` GitHub Action versions 0.2.0 \u2013 0.2.6, prior to the recreation of 0.2.6 with a safe commit. Known safe versions include versions 0.69.2 and 0.69.3 of the Trivy binary, version 0.35.0 of trivy-action, and version 0.2.6 of setup-trivy. Additionally, take other mitigations to ensure the safety of secrets. If there is any possibility that a compromised version ran in one\u0027s environment, all secrets accessible to affected pipelines must be treated as exposed and rotated immediately. Check whether one\u0027s organization pulled or executed Trivy v0.69.4 from any source. Remove any affected artifacts immediately. Review all workflows using `aquasecurity/trivy-action` or `aquasecurity/setup-trivy`. Those who referenced a version tag rather than a full commit SHA should check workflow run logs from March 19\u201320, 2026 for signs of compromise. Look for repositories named `tpcp-docs` in one\u0027s GitHub organization. The presence of such a repository may indicate that the fallback exfiltration mechanism was triggered and secrets were successfully stolen. Pin GitHub Actions to full, immutable commit SHA hashes, don\u0027t use mutable version tags."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.4,
"baseSeverity": "CRITICAL",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-506",
"description": "CWE-506: Embedded Malicious Code",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-30T14:40:28.027Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/aquasecurity/trivy/security/advisories/GHSA-69fq-xp46-6x23",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/aquasecurity/trivy/security/advisories/GHSA-69fq-xp46-6x23"
},
{
"name": "https://github.com/team-telnyx/telnyx-python/security/advisories/GHSA-955r-262c-33jc",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/team-telnyx/telnyx-python/security/advisories/GHSA-955r-262c-33jc"
},
{
"name": "https://github.com/BerriAI/litellm/issues/24518",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/BerriAI/litellm/issues/24518"
},
{
"name": "https://docs.litellm.ai/blog/security-update-march-2026",
"tags": [
"x_refsource_MISC"
],
"url": "https://docs.litellm.ai/blog/security-update-march-2026"
},
{
"name": "https://futuresearch.ai/blog/litellm-pypi-supply-chain-attack",
"tags": [
"x_refsource_MISC"
],
"url": "https://futuresearch.ai/blog/litellm-pypi-supply-chain-attack"
},
{
"name": "https://github.com/aquasecurity/trivy/discussions/10425",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/aquasecurity/trivy/discussions/10425"
},
{
"name": "https://github.com/pypa/advisory-database/tree/main/vulns/litellm/PYSEC-2026-2.yaml",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/litellm/PYSEC-2026-2.yaml"
},
{
"name": "https://inspector.pypi.io/project/litellm/1.82.7/packages/79/5f/b6998d42c6ccd32d36e12661f2734602e72a576d52a51f4245aef0b20b4d/litellm-1.82.7-py3-none-any.whl/litellm/proxy/proxy_server.py#line.130",
"tags": [
"x_refsource_MISC"
],
"url": "https://inspector.pypi.io/project/litellm/1.82.7/packages/79/5f/b6998d42c6ccd32d36e12661f2734602e72a576d52a51f4245aef0b20b4d/litellm-1.82.7-py3-none-any.whl/litellm/proxy/proxy_server.py#line.130"
},
{
"name": "https://inspector.pypi.io/project/litellm/1.82.8/packages/f6/2c/731b614e6cee0bca1e010a36fd381fba69ee836fe3cb6753ba23ef2b9601/litellm-1.82.8.tar.gz/litellm-1.82.8/litellm_init.pth#line.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://inspector.pypi.io/project/litellm/1.82.8/packages/f6/2c/731b614e6cee0bca1e010a36fd381fba69ee836fe3cb6753ba23ef2b9601/litellm-1.82.8.tar.gz/litellm-1.82.8/litellm_init.pth#line.1"
},
{
"name": "https://www.wiz.io/blog/teampcp-attack-kics-github-action",
"tags": [
"x_refsource_MISC"
],
"url": "https://www.wiz.io/blog/teampcp-attack-kics-github-action"
}
],
"source": {
"advisory": "GHSA-69fq-xp46-6x23",
"discovery": "UNKNOWN"
},
"title": "Trivy ecosystem supply chain briefly compromised"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-33634",
"datePublished": "2026-03-23T21:47:29.636Z",
"dateReserved": "2026-03-23T14:24:11.619Z",
"dateUpdated": "2026-03-30T14:40:28.027Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}