cbcvebase.
CVE-2026-35030
published 2026-04-06

CVE-2026-35030: LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. Prior to 1.83.0, when JWT authentication is enabled (enable_jwt_auth…

PriorityP263critical9.1CVSS 3.1
AVNACLPRNUINSUCHIHAN
EPSS
0.49%
38.4th percentile
LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. Prior to 1.83.0, when JWT authentication is enabled (enable_jwt_auth: true), the OIDC userinfo cache uses token[:20] as the cache key. JWT headers produced by the same signing algorithm generate identical first 20 characters. This configuration option is not enabled by default. Most instances are not affected. An unauthenticated attacker can craft a token whose first 20 characters match a legitimate user's cached token. On cache hit, the attacker inherits the legitimate user's identity and permissions. This affects deployments with JWT/OIDC authentication enabled. Fixed in v1.83.0.

Affected

3 ranges
VendorProductVersion rangeFixed in
berriailitellm< 1.83.01.83.0
litellmlitellm< 1.83.01.83.0
litellmlitellm>= 0 < 1.83.01.83.0

Detection & IOCsextracted from sources · hover to see the quote

  • OIDC userinfo cache key collision: detect tokens where only the first 20 characters are used as cache key (token[:20]), enabling authentication bypass when JWT auth is enabled
  • Flag LiteLLM deployments with enable_jwt_auth: true in configuration, as the vulnerability only manifests when this setting is explicitly enabled
  • Monitor for unauthenticated requests that result in cache hits on the OIDC userinfo cache, particularly where the attacker's token first 20 characters match a legitimate user's cached token
  • Alert on LiteLLM versions prior to 1.83.0 running with JWT/OIDC authentication enabled, as these are vulnerable to authentication bypass and privilege escalation
  • ·Vulnerability only affects deployments where JWT authentication is explicitly enabled; the default configuration is NOT vulnerable
  • ·Red Hat products (Ansible Automation Platform, Lightspeed Core, Red Hat OpenShift AI) are affected only if configured with JWT authentication (enable_jwt_auth: true)
  • ·Mitigation without patching: disable enable_jwt_auth in LiteLLM configuration and restart the service; only applies if JWT auth is not strictly required

CVSS provenance

nvdv3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
nvdv4.09.4CRITICALCVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vendor_redhat9.4CRITICAL
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.