CVE-2026-33634
published 2026-03-23CVE-2026-33634: Trivy is a security scanner. On March 19, 2026, a threat actor used compromised credentials to publish a malicious Trivy v0.69.4 release, force-push 76 of 77…
PriorityP190high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
KEVITW
CISA Known Exploited Vulnerabilitydue 2026-04-09
Exploited in the wild
EPSS
60.37%
99.0th percentile
Trivy is a security scanner. On March 19, 2026, a threat actor used compromised credentials to publish a malicious Trivy v0.69.4 release, force-push 76 of 77 version tags in `aquasecurity/trivy-action` to credential-stealing malware, and replace all 7 tags in `aquasecurity/setup-trivy` with malicious commits. This incident is a continuation of the supply chain attack that began in late February 2026. Following the initial disclosure on March 1, credential rotation was performed but was not atomic (not all credentials were revoked simultaneously). The attacker could have use a valid token to exfiltrate newly rotated secrets during the rotation window (which lasted a few days). This could have allowed the attacker to retain access and execute the March 19 attack. Affected components include the `aquasecurity/trivy` Go / Container image version 0.69.4, the `aquasecurity/trivy-action` GitHub Action versions 0.0.1 – 0.34.2 (76/77), and the`aquasecurity/setup-trivy` GitHub Action versions 0.2.0 – 0.2.6, prior to the recreation of 0.2.6 with a safe commit. Known safe versions include versions 0.69.2 and 0.69.3 of the Trivy binary, version 0.35.0 of trivy-action, and version 0.2.6 of setup-trivy. Additionally, take other mitigations to ensure the safety of secrets. If there is any possibility that a compromised version ran in one's environment, all secrets accessible to affected pipelines must be treated as exposed and rotated immediately. Check whether one's organization pulled or executed Trivy v0.69.4 from any source. Remove any affected artifacts immediately. Review all workflows using `aquasecurity/trivy-action` or `aquasecurity/setup-trivy`. Those who referenced a version tag rather than a full commit SHA should check workflow run logs from March 19–20, 2026 for signs of compromise. Look for repositories named `tpcp-docs` in one's GitHub organization. The presence of such a repository may indicate that the fallback exfiltration mechanism was triggered and secrets were
Affected
15 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| aquasec | setup-trivy | < 0.2.6 | 0.2.6 |
| aquasec | trivy | — | — |
| aquasec | trivy_action | < 0.35.0 | 0.35.0 |
| aquasecurity | setup-trivy | < 0.2.6 | 0.2.6 |
| aquasecurity | setup-trivy | >= 0 < 0.2.6 | 0.2.6 |
| aquasecurity | trivy | — | — |
| aquasecurity | trivy-action | < 0.35.0 | 0.35.0 |
| aquasecurity | trivy-action | >= 0 < 0.35.0 | 0.35.0 |
| berriai | litellm | — | — |
| github.com | aquasecurity_trivy | >= 0.69.4 | — |
| litellm | litellm | — | — |
| litellm | litellm | — | — |
| team-telnyx | telnyx | — | — |
| telnyx | telnyx | — | — |
| telnyx | telnyx | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Search GitHub Actions workflow run logs from March 19–20, 2026 for references to tpcp.tar.gz, scan.aquasecurity[.]org, or checkmarx[.]zone, which indicate execution of the malicious stealer payload. ↗
- →Search GitHub organization for repositories named 'tpcp-docs' or 'docs-tpcp' as indicators of successful fallback exfiltration via GITHUB_TOKEN. ↗
- →Monitor outbound network connections from CI runners to checkmarx[.]zone, audit.checkmarx[.]cx, and whereisitat[.]lucyatemysuperbox[.]space — all confirmed attacker-controlled exfiltration endpoints. ↗
- →Detect the KICS malicious telemetry exfiltration by alerting on outbound HTTP requests with User-Agent 'KICS-Telemetry/2.0' to audit.checkmarx[.]cx. ↗
- →Detect the persistence mechanism installed by the Checkmarx-linked stealer on non-CI systems: a systemd user service polling checkmarx[.]zone/raw every 50 minutes. ↗
- →Detect the CanisterWorm/CanisterSprawl C2 pattern: look for outbound connections to Internet Computer Protocol (ICP) canisters as a dual-channel exfiltration endpoint, consistent across multiple TeamPCP worm variants. ↗
- →Detect the Bitwarden CLI compromise by hunting for the string 'Shai-Hulud: The Third Coming' or Dune-themed identifiers (atreides, fremen, sandworm, sardaukar) in npm package contents or process memory. ↗
- →Detect the xinference PyPI stealer by scanning for the comment '# hacked by teampcp' and double base64-encoded payloads injected into __init__.py that execute as a detached subprocess on package import. ↗
- →Detect the scripted mass-defacement pattern: all 44 aquasec-com repositories were modified in a 2-minute burst (20:31:07–20:32:26 UTC on March 22, 2026) via a compromised service account token bridging two GitHub orgs. ↗
- →Detect exposed Docker APIs on port 2375 across local subnets, which TeamPCP actively exploits for lateral movement alongside stolen SSH keys. ↗
- ·Trivy versions 0.69.4, 0.69.5, and 0.69.6 are confirmed malicious; 0.69.3 is the last known clean Docker Hub release. Safe versions are 0.69.2 and 0.69.3. ↗
- ·Patching Trivy alone is insufficient; credential rotation for all secrets accessible to affected pipelines during the March 19–27 compromise window is mandatory. ↗
- ·Checkmarx VS Code/Open VSX extensions ast-results v2.53.0 and cx-dev-assist v1.7.0 (March incident) and ast-results v2.63.0/2.66.0 and cx-dev-assist v1.17.0/1.19.0 (April incident) are malicious; VS Code Marketplace versions of the March incident were not affected. ↗
- ·@bitwarden/cli version 2026.4.0 is malicious (compromised via cascading KICS Docker image pull); version 2026.4.1 (re-release of 2026.3.0) is safe. Approximately 334 downloads occurred during the exposure window. ↗
- ·474 public repositories executed malicious code from the compromised trivy-action workflow, and 1,750 Python packages were configured to automatically pull poisoned versions — indicating broad downstream exposure beyond direct Trivy users. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv4.09.4CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vulncheck9.4CRITICAL
cisa9.4CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Trivy ecosystem supply chain was briefly compromised in github.com/aquasecurity/trivy
osv·2026-04-01
CVE-2026-33634 Trivy ecosystem supply chain was briefly compromised in github.com/aquasecurity/trivy
Trivy ecosystem supply chain was briefly compromised in github.com/aquasecurity/trivy
On March 19, 2026, a threat actor used compromised credentials to publish a malicious Trivy v0.69.4 release.
OSV
Trivy ecosystem supply chain was briefly compromised
osv·2026-03-24
CVE-2026-33634 [CRITICAL] Trivy ecosystem supply chain was briefly compromised
Trivy ecosystem supply chain was briefly compromised
## Summary
On March 19, 2026, a threat actor used compromised credentials to publish a malicious Trivy v0.69.4 release, force-push 76 of 77 version tags in `aquasecurity/trivy-action` to credential-stealing malware, and replace all 7 tags in `aquasecurity/setup-trivy` with malicious commits.
On March 22, 2026, a threat actor used compromised credentials to publish a malicious Trivy v0.69.5 and v0.69.6 DockerHub images.
## Exposure Window
| Component | Start (UTC) | End (UTC) | Duration |
| ------------- | ---------------------- | ----------------- | --------- |
| trivy v0.69.4 | 2026-03-19 18:22 [^1] | 2026-03-19 ~21:42 | ~3 hours |
| trivy-action | 2026-03-19 ~17:43 [^2] | 2026-03-20 ~05:40 | ~12 hours |
| setup-trivy | 2026-03-19 ~
GHSA
Trivy ecosystem supply chain was briefly compromised
ghsa·2026-03-24
CVE-2026-33634 [CRITICAL] CWE-506 Trivy ecosystem supply chain was briefly compromised
Trivy ecosystem supply chain was briefly compromised
## Summary
On March 19, 2026, a threat actor used compromised credentials to publish a malicious Trivy v0.69.4 release, force-push 76 of 77 version tags in `aquasecurity/trivy-action` to credential-stealing malware, and replace all 7 tags in `aquasecurity/setup-trivy` with malicious commits.
On March 22, 2026, a threat actor used compromised credentials to publish a malicious Trivy v0.69.5 and v0.69.6 DockerHub images.
## Exposure Window
| Component | Start (UTC) | End (UTC) | Duration |
| ------------- | ---------------------- | ----------------- | --------- |
| trivy v0.69.4 | 2026-03-19 18:22 [^1] | 2026-03-19 ~21:42 | ~3 hours |
| trivy-action | 2026-03-19 ~17:43 [^2] | 2026-03-20 ~05:40 | ~12 hours |
| setup-trivy | 2026-03-19 ~
VulnCheck
Aquasecurity Trivy Embedded Malicious Code Vulnerability
vulncheck·2026·CVSS 9.4
CVE-2026-33634 [CRITICAL] CWE-506 Aquasecurity Trivy Embedded Malicious Code Vulnerability
Aquasecurity Trivy Embedded Malicious Code Vulnerability
Aquasecurity Trivy contains an embedded malicious code vulnerability that could allow an attacker to gain access to everything in the CI/CD environment, including all tokens, SSH keys, cloud credentials, database passwords, and any sensitive configuration in memory.
Affected: Aquasecurity Trivy
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://nvd.nist.gov/vuln/detail/CVE-2026-33634; https://www.kaspersky.com/blog/critical-supply-chain-attack-trivy-litellm-checkmarx-teampcp/55510/; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json
R
CISA
Aquasecurity Trivy Embedded Malicious Code Vulnerability
cisa·2026-03-26·CVSS 9.4
CVE-2026-33634 [CRITICAL] CWE-506 Aquasecurity Trivy Embedded Malicious Code Vulnerability
Vulnerability: Aquasecurity Trivy Embedded Malicious Code Vulnerability
Affected: Aquasecurity Trivy
Aquasecurity Trivy contains an embedded malicious code vulnerability that could allow an attacker to gain access to everything in the CI/CD environment, including all tokens, SSH keys, cloud credentials, database passwords, and any sensitive configuration in memory.
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Notes: This vulnerability involves a supply‑chain compromise in a product that may be used across multiple products and environments. Additional vendor‑provided guidance must be followed to ensure full remediation. For more information, please se
No detection rules found.
No public exploits indexed.
Sans Isc
TeamPCP Supply Chain Campaign: Update 008 - 26-Day Pause Ends with Three Concurrent Compromises (Checkmarx KICS, Bitwarden CLI Cascade, xinference PyPI), CanisterSprawl npm Worm Identified, and Tier 1
blogs_sans_isc·2026-04-27·CVSS 9.4
CVE-2026-33634 [CRITICAL] TeamPCP Supply Chain Campaign: Update 008 - 26-Day Pause Ends with Three Concurrent Compromises (Checkmarx KICS, Bitwarden CLI Cascade, xinference PyPI), CanisterSprawl npm Worm Identified, and Tier 1
TeamPCP Supply Chain Campaign: Update 008 - 26-Day Pause Ends with Three Concurrent Compromises (Checkmarx KICS, Bitwarden CLI Cascade, xinference PyPI), CanisterSprawl npm Worm Identified, and Tier 1 Coverage Returns
Published: 2026-04-27. Last Updated: 2026-04-27 14:01:17 UTC
by Kenneth Hartman (Version: 1)
0 comment(s)
This update succeeds TeamPCP Supply Chain Campaign Update 007, published April 8, 2026, which left the campaign in credential-monetization mode following the Cisco source code theft via Trivy-linked credentials, Google GTIG's formal designation of the operators as UNC6780 (with their credential stealer named SANDCLOCK), and the lapsed CISA KEV remediation deadline for CVE-2026-33634 with no standalone federal advisory. The Sportradar publication deadline flagged in Upd
Hackernews
OpenAI Revokes macOS App Certificate After Malicious Axios Supply Chain Incident
blogs_hackernews·2026-04-13
OpenAI Revokes macOS App Certificate After Malicious Axios Supply Chain Incident
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## OpenAI Revokes macOS App Certificate After Malicious Axios Supply Chain Incident
OpenAI revealed a GitHub Actions workflow used to sign its macOS apps led to the download of the malicious Axios library on March 31, but noted that no user data or internal system was compromised.
"Out of an abundance of caution, we are taking steps to protect the process that certifies our macOS applications are legitimate OpenAI apps," OpenAI said in a post last week. "We found no evidence that OpenAI user data was accessed, that our systems or intellectual property were compromised, or that our software was altered."
The disclosure comes a
Sans Isc
TeamPCP Supply Chain Campaign: Update 007 - Cisco Source Code Stolen via Trivy-Linked Breach, Google GTIG Tracks TeamPCP as UNC6780, and CISA KEV Deadline Arrives with No Standalone Advisory, (Wed, Ap
blogs_sans_isc·2026-04-08·CVSS 9.4
[CRITICAL] TeamPCP Supply Chain Campaign: Update 007 - Cisco Source Code Stolen via Trivy-Linked Breach, Google GTIG Tracks TeamPCP as UNC6780, and CISA KEV Deadline Arrives with No Standalone Advisory, (Wed, Ap
TeamPCP Supply Chain Campaign: Update 007 - Cisco Source Code Stolen via Trivy-Linked Breach, Google GTIG Tracks TeamPCP as UNC6780, and CISA KEV Deadline Arrives with No Standalone Advisory
Published: 2026-04-08. Last Updated: 2026-04-08 17:15:05 UTC
by Kenneth Hartman (Version: 1)
0 comment(s)
This is the seventh update to the TeamPCP supply chain campaign threat intelligence report, "When the Security Scanner Became the Weapon" (v3.0, March 25, 2026). Update 006 covered developments through April 3, including the CERT-EU European Commission breach disclosure, ShinyHunters' confirmation of credential sharing, Sportradar breach details, and Mandiant's quantification of 1,000+ compromised SaaS environments. This update consolidates five days of intelligence from April 3 through April 8,
Hackernews
TeamPCP Hacks Checkmarx GitHub Actions Using Stolen CI Credentials
blogs_hackernews·2026-03-24·CVSS 9.4
[CRITICAL] TeamPCP Hacks Checkmarx GitHub Actions Using Stolen CI Credentials
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## TeamPCP Hacks Checkmarx GitHub Actions Using Stolen CI Credentials
Two more GitHub Actions workflows have become the latest to be compromised by credential-stealing malware by a threat actor known as TeamPCP, the cloud-native cybercriminal operation also behind the Trivy supply chain attack .
The workflows, both maintained by the supply chain security company Checkmarx, are listed below -
checkmarx/ast-github-action
checkmarx/kics-github-action
Cloud security company Sysdig said it observed an identical credential stealer as the one used in TeamPCP's operations targeting Aqua Security's Trivy vulnerability scanner and its
Hackernews
Trivy Hack Spreads Infostealer via Docker, Triggers Worm and Kubernetes Wiper
blogs_hackernews·2026-03-23
Trivy Hack Spreads Infostealer via Docker, Triggers Worm and Kubernetes Wiper
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## Trivy Hack Spreads Infostealer via Docker, Triggers Worm and Kubernetes Wiper
Cybersecurity researchers have uncovered malicious artifacts distributed via Docker Hub following the Trivy supply chain attack , highlighting the widening blast radius across developer environments.
The last known clean release of Trivy on Docker Hub is 0.69.3. The malicious versions 0.69.4, 0.69.5, and 0.69.6 have since been removed from the container image library.
"New image tags 0.69.5 and 0.69.6 were pushed on March 22 without corresponding GitHub releases or tags. Both images contain indicators of compromise associated with the same TeamPCP
Wiz
CVE-2026-23992 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.9
CVE-2026-23992 [MEDIUM] CVE-2026-23992 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-23992 :
Trivy vulnerability analysis and mitigation
go-tuf is a Go implementation of The Update Framework (TUF). Starting in version 2.0.0 and prior to version 2.3.1, a compromised or misconfigured TUF repository can have the configured value of signature thresholds set to 0, which effectively disables signature verification. This can lead to unauthorized modification to TUF metadata files is possible at rest, or during transit as no integrity checks are made. Version 2.3.1 fixes the issue. As a workaround, always make sure that the TUF metadata roles are configured with a threshold of at least 1.
Source : NVD
## 7.5
Score
Published January 22, 2026
Severity HIGH
CNA Score 5.9
Affected Technologies
Trivy
CBL Mariner
Has Public Exploit No
Has CISA KEV Exploit No
Wiz
CVE-2026-24686 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.7
CVE-2026-24686 [MEDIUM] CVE-2026-24686 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-24686 :
Trivy vulnerability analysis and mitigation
repoName
repoName
../escaped-repo
LocalMetadataDir
Source : NVD
## 4.7
Score
Published January 27, 2026
Severity MEDIUM
CNA Score 4.7
Affected Technologies
Trivy
Wolfi
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 0.8
Exploitation Probability (EPSS) N/A
Affected packages and libraries
kyverno-policy-reporter-plugins-fips
image-factory-fips
Sources
NVD
Chainguard Has Fix Added at: Jan 28, 2026
Debian 13 Severity MEDIUM No Fix Added at: Jan 27, 2026
Debian 14 Severity MEDIUM Has Fix Added at: Jan 27, 2026
Echo Severity MEDIUM No Fix Added at: Jan 27, 2026
GoLang Severity MEDIUM Has Fix Added at: Jan 27, 202
Wiz
CVE-2025-64702 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2025-64702 [MEDIUM] CVE-2025-64702 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-64702 :
Trivy vulnerability analysis and mitigation
quic-go is an implementation of the QUIC protocol in Go. Versions 0.56.0 and below are vulnerable to excessive memory allocation through quic-go's HTTP/3 client and server implementations by sending a QPACK-encoded HEADERS frame that decodes into a large header field section (many unique header names and/or large values). The implementation builds an http.Header (used on the http.Request and http.Response, respectively), while only enforcing limits on the size of the (QPACK-compressed) HEADERS frame, but not on the decoded header, leading to memory exhaustion. This issue is fixed in version 0.57.0.
Source : NVD
## 5.3
Score
Published December 11, 2025
Severity MEDIUM
CNA Score 5.3
Affected Technologies
Trivy
Synct
Wiz
CVE-2025-15558 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.0
CVE-2025-15558 [HIGH] CVE-2025-15558 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-15558 :
Trivy vulnerability analysis and mitigation
Docker CLI for Windows searches for plugin binaries in C:\ProgramData\Docker\cli-plugins, a directory that does not exist by default. A low-privileged attacker can create this directory and place malicious CLI plugin binaries (docker-compose.exe, docker-buildx.exe, etc.) that are executed when a victim user opens Docker Desktop or invokes Docker CLI plugin features, and allow privilege-escalation if the docker CLI is executed as a privileged user.
This issue affects Docker CLI: through 29.1.5 and Windows binaries acting as a CLI-plugin manager using the github.com/docker/cli/cli-plugins/manager https://pkg.go.dev/github.com/docker/[email protected]+incompatible/cli-plugins/manager package, such as Docker Compose.
This issue does
Wiz
CVE-2026-33634 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.4
CVE-2026-33634 [CRITICAL] CVE-2026-33634 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33634 :
Trivy vulnerability analysis and mitigation
aquasecurity/trivy-action
aquasecurity/setup-trivy
aquasecurity/trivy
aquasecurity/trivy-action
aquasecurity/setup-trivy
aquasecurity/trivy-action
aquasecurity/setup-trivy
tpcp-docs
Source : NVD
## 9.4
Score
Published March 23, 2026
Severity CRITICAL
CNA Score 9.4
Affected Technologies
Trivy
Chainguard
Has Public Exploit Yes
Has CISA KEV Exploit Yes
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 95.6
Exploitation Probability (EPSS) 21.2
Affected packages and libraries
cpe:2.3:a:litellm:litellm
github.com/aquasecurity/trivy
Sources
Chainguard No Fix Added at: Mar 29, 2026
GoLang Severity CRITICAL No Fix Added at: Mar 24, 2026
Homebrew Severity HIGH No
Wiz
CVE-2026-23991 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.9
CVE-2026-23991 [MEDIUM] CVE-2026-23991 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-23991 :
Trivy vulnerability analysis and mitigation
go-tuf is a Go implementation of The Update Framework (TUF). Starting in version 2.0.0 and prior to version 2.3.1, if the TUF repository (or any of its mirrors) returns invalid TUF metadata JSON (valid JSON but not well formed TUF metadata), the client will panic during parsing, causing a denial of service. The panic happens before any signature is validated. This means that a compromised repository/mirror/cache can DoS clients without having access to any signing key. Version 2.3.1 fixes the issue. No known workarounds are available.
Source : NVD
## 7.5
Score
Published January 22, 2026
Severity HIGH
CNA Score 5.9
Affected Technologies
Trivy
CBL Mariner
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Rel
Wiz
GHSA-5mg7-485q-xm76 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 3.5
[LOW] GHSA-5mg7-485q-xm76 Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-5mg7-485q-xm76 :
LiteLLM vulnerability analysis and mitigation
litellm
Source : NVD
Published March 25, 2026
Severity CRITICAL
CNA Score N/A
Affected Technologies
LiteLLM
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) N/A
Exploitation Probability (EPSS) N/A
Affected packages and libraries
litellm
Sources
NVD
pip Severity CRITICAL No Fix Added at: Mar 26, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related LiteLLM vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Published date
CVE-2026-35030
CRITICAL
9.4
Chainguard
Wiz
GHSA-69x8-hrgq-fjj8 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.4
[CRITICAL] GHSA-69x8-hrgq-fjj8 Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-69x8-hrgq-fjj8 :
LiteLLM vulnerability analysis and mitigation
## Impact
Three issues combine into a full authentication bypass chain:
Weak hashing: User passwords are stored as unsalted SHA-256 hashes, making them vulnerable to rainbow table attacks and trivially identifying users with identical passwords.
Hash exposure: Multiple API endpoints (/user/info, /user/update, /spend/users) return the password hash field in responses to any authenticated user regardless of role. Plaintext passwords could also potentially be exposed in certain scenarios.
Pass-the-hash: The /v2/login endpoint accepts the raw SHA-256 hash as a valid password without re-hashing, allowing direct login with a stolenAn already authenticated user can retrieve another user's password hash from the API and
https://docs.litellm.ai/blog/security-update-march-2026https://futuresearch.ai/blog/litellm-pypi-supply-chain-attackhttps://github.com/BerriAI/litellm/issues/24518https://github.com/aquasecurity/trivy/discussions/10425https://github.com/aquasecurity/trivy/security/advisories/GHSA-69fq-xp46-6x23https://github.com/pypa/advisory-database/tree/main/vulns/litellm/PYSEC-2026-2.yamlhttps://github.com/team-telnyx/telnyx-python/security/advisories/GHSA-955r-262c-33jchttps://inspector.pypi.io/project/litellm/1.82.7/packages/79/5f/b6998d42c6ccd32d36e12661f2734602e72a576d52a51f4245aef0b20b4d/litellm-1.82.7-py3-none-any.whl/litellm/proxy/proxy_server.py#line.130https://inspector.pypi.io/project/litellm/1.82.8/packages/f6/2c/731b614e6cee0bca1e010a36fd381fba69ee836fe3cb6753ba23ef2b9601/litellm-1.82.8.tar.gz/litellm-1.82.8/litellm_init.pth#line.1https://www.wiz.io/blog/teampcp-attack-kics-github-actionhttps://github.com/BerriAI/litellm/issues/24518#issuecomment-4127436387https://rosesecurity.dev/2026/03/20/typosquatting-trivy.htmlhttps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-33634https://www.microsoft.com/en-us/security/blog/2026/03/24/detecting-investigating-defending-against-trivy-supply-chain-compromise/
2026-03-23
Published
2026-03-26
Added to CISA KEV
Exploited in the wild