LiteLLM Flaws Enable Privilege Escalation and OIDC Authentication Bypass
LiteLLM fixed two high-severity vulnerabilities in version 1.83.0 that could allow attackers to gain elevated access in AI gateway deployments. CVE-2026-35029 stems from missing admin authorization on the /config/update endpoint, allowing an authenticated low-privilege user to change proxy settings and environment variables. The flaw could be abused to register attacker-controlled Python handlers for remote code execution, read arbitrary server files, and overwrite UI credentials to seize privileged accounts, creating broad confidentiality, integrity, and availability risk.
The same release also addressed CVE-2026-35030, an authentication bypass affecting LiteLLM deployments that enabled JWT-based authentication. In vulnerable versions, the platform used the first 20 characters of a token as the OIDC userinfo cache key, allowing a crafted token with a matching prefix to collide with a legitimate cached session and inherit that user’s identity and permissions. The issue is not enabled by default, limiting exposure to specific configurations, but together the flaws highlight significant access-control weaknesses in LiteLLM versions prior to 1.83.0.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
LiteLLM v1.83.7-stable adds command-execution fix and supply-chain hardening
LiteLLM released v1.83.7-stable with a security fix blocking arbitrary command execution via MCP stdio transport, along with hardening for proxy input validation, token lookup queries, file path resolution in skill archive extraction, and permission checks. The release also emphasized Docker image signature verification with cosign and pinned verification guidance to an immutable commit hash.
CVE-2026-35029 and CVE-2026-35030 are publicly disclosed
Public advisories disclosed two high-severity LiteLLM vulnerabilities: CVE-2026-35029, which lets a low-privilege authenticated user escalate privileges and potentially achieve remote code execution, and CVE-2026-35030, which allows authentication bypass in certain JWT-enabled deployments via cache key collisions.
LiteLLM fixes two vulnerabilities in version 1.83.0
LiteLLM released version 1.83.0 to fix two security flaws affecting earlier versions: an authorization bypass in the /config/update endpoint (CVE-2026-35029) and an OIDC userinfo cache key collision authentication bypass affecting JWT-enabled deployments (CVE-2026-35030).
LiteLLM ships nightly fix for CVE-2026-35029
BerriAI released LiteLLM v1.83.0-nightly with a fix for the broken access control flaw in the /config/update endpoint, later tracked as CVE-2026-35029. The vulnerability allowed low-privileged users to modify configuration and abuse pass-through features to exfiltrate environment variables and read files accessible to the application.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
5 references tracked. Mallory keeps watching after this page renders.
Release v1.83.7-stable · BerriAI/litellm · GitHub
github.com
Open sourceCVE-2026-35029 - LiteLLM affected by privilege escalation via unrestricted proxy configuration endpoint
cvefeed.io
Open sourceCVE-2026-35030 - LiteLLM has an authentication bypass via OIDC userinfo cache key collision
cvefeed.io
Open sourceSecurity Update: Vulnerability Disclosures and Ongoing Hardening | liteLLM
docs.litellm.ai
Open sourceFull Disclosure: SEC Consult SA-20260421-0 :: Broken Access Control in Config Endpoint in LiteLLM
seclists.org
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Critical LiteLLM Host Header Flaw Enables Authentication Bypass
A critical vulnerability in **LiteLLM** tracked as `CVE-2026-49468` allows attackers to bypass authentication through **Host header injection** and reach protected management endpoints. The flaw affects LiteLLM versions earlier than **`1.84.0`** and stems from a mismatch in how the authentication layer evaluates routes versus how **FastAPI** ultimately dispatches them, creating a path for unauthenticated access under specific conditions. The issue is classified as **`CWE-290`** and has been rated **CVSS 9.5**, with researchers describing it as network-exploitable with low attack complexity and no user interaction required. The vulnerability was responsibly disclosed by **Le The Thang** of **KCSC** and **Kim Ngoc Chung** of **One Mount Group**, and LiteLLM maintainers have released a fix in version **`1.84.0`** with no configuration changes required. There is no confirmed evidence of active exploitation, and **LiteLLM Cloud** customers are reportedly not affected. Self-hosted deployments may also be shielded if upstream infrastructure such as **Cloudflare**, **WAFs**, reverse proxies with strict allowlists, or host-validating load balancers normalize or reject malformed Host headers before requests reach the application.
Jun 23, 2026
Active Exploitation of LiteLLM Flaw Enables Unauthenticated RCE via Starlette Chain
CISA added **CVE-2026-42271** to its Known Exploited Vulnerabilities catalog after evidence emerged that attackers are exploiting a command injection flaw in BerriAI **LiteLLM**. The bug affects MCP server test endpoints in self-hosted LiteLLM deployments, where crafted `stdio` parameters can trigger arbitrary command execution on the proxy host. On its own, the flaw requires a valid proxy API key, but researchers reported it is being chained with **CVE-2026-48710** in **Starlette**—a Host header validation bypass known as **BadHost**—to bypass authentication and achieve unauthenticated remote code execution. The exposed attack path affects LiteLLM versions **1.74.2 through 1.83.6** when deployed with **Starlette 1.0.0 or earlier**, and researchers rated the combined chain as effectively **critical** with a CVSS score of **10.0**. Successful compromise can let attackers run OS commands, steal model provider credentials, API keys, secrets, and environment variables, and pivot into connected AI infrastructure. BerriAI patched the issue in **LiteLLM 1.83.7** by restricting the vulnerable test endpoints to the `PROXY_ADMIN` role, while defenders are being urged to upgrade LiteLLM and Starlette, limit network access to the affected endpoints, rotate stored credentials, and review logs for suspicious Host header and subprocess activity.
Jun 11, 2026
Critical LiteLLM SQL Injection Exploited to Target Stored API Keys and Credentials
Attackers began exploiting **CVE-2026-42208** in LiteLLM shortly after public disclosure, using a pre-authentication SQL injection flaw in the product’s `Authorization: Bearer` verification path to query the backend PostgreSQL database without logging in. The vulnerability, also tracked as `GHSA-r75f-5x8p-qvmc`, affects LiteLLM versions **1.81.16 through 1.83.6** and was fixed in **v1.83.7** after the project replaced vulnerable string interpolation with a parameterized query. Sysdig said the first observed exploitation attempt arrived **36 hours and seven minutes** after the advisory was indexed, with activity focused on enumerating high-value tables holding virtual API keys, provider credentials, verification tokens, and environment-based configuration. Researchers described the intrusion attempts as targeted rather than opportunistic, citing knowledge of Prisma-generated PostgreSQL table names and `UNION`-based column discovery; while no confirmed follow-on abuse was observed, defenders are being urged to patch exposed instances immediately, rotate all stored secrets, and review logs and billing accounts for signs of compromise.
May 11, 2026