CVE-2026-35030
published 2026-04-06CVE-2026-35030: LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. Prior to 1.83.0, when JWT authentication is enabled (enable_jwt_auth…
PriorityP263critical9.1CVSS 3.1
AVNACLPRNUINSUCHIHAN
EPSS
0.49%
38.4th percentile
LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. Prior to 1.83.0, when JWT authentication is enabled (enable_jwt_auth: true), the OIDC userinfo cache uses token[:20] as the cache key. JWT headers produced by the same signing algorithm generate identical first 20 characters. This configuration option is not enabled by default. Most instances are not affected. An unauthenticated attacker can craft a token whose first 20 characters match a legitimate user's cached token. On cache hit, the attacker inherits the legitimate user's identity and permissions. This affects deployments with JWT/OIDC authentication enabled. Fixed in v1.83.0.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| berriai | litellm | < 1.83.0 | 1.83.0 |
| litellm | litellm | < 1.83.0 | 1.83.0 |
| litellm | litellm | >= 0 < 1.83.0 | 1.83.0 |
Detection & IOCsextracted from sources · hover to see the quote
- →OIDC userinfo cache key collision: detect tokens where only the first 20 characters are used as cache key (token[:20]), enabling authentication bypass when JWT auth is enabled ↗
- →Flag LiteLLM deployments with enable_jwt_auth: true in configuration, as the vulnerability only manifests when this setting is explicitly enabled ↗
- →Monitor for unauthenticated requests that result in cache hits on the OIDC userinfo cache, particularly where the attacker's token first 20 characters match a legitimate user's cached token ↗
- →Alert on LiteLLM versions prior to 1.83.0 running with JWT/OIDC authentication enabled, as these are vulnerable to authentication bypass and privilege escalation ↗
- ·Vulnerability only affects deployments where JWT authentication is explicitly enabled; the default configuration is NOT vulnerable ↗
- ·Red Hat products (Ansible Automation Platform, Lightspeed Core, Red Hat OpenShift AI) are affected only if configured with JWT authentication (enable_jwt_auth: true) ↗
- ·Mitigation without patching: disable enable_jwt_auth in LiteLLM configuration and restart the service; only applies if JWT auth is not strictly required ↗
CVSS provenance
nvdv3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
nvdv4.09.4CRITICALCVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vendor_redhat9.4CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
litellm: LiteLLM: Authentication bypass and privilege escalation via OIDC userinfo cache key collision
vendor_redhat·2026-04-06·CVSS 9.4
CVE-2026-35030 [CRITICAL] CWE-222 litellm: LiteLLM: Authentication bypass and privilege escalation via OIDC userinfo cache key collision
litellm: LiteLLM: Authentication bypass and privilege escalation via OIDC userinfo cache key collision
LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. Prior to 1.83.0, when JWT authentication is enabled (enable_jwt_auth: true), the OIDC userinfo cache uses token[:20] as the cache key. JWT headers produced by the same signing algorithm generate identical first 20 characters. This configuration option is not enabled by default. Most instances are not affected. An unauthenticated attacker can craft a token whose first 20 characters match a legitimate user's cached token. On cache hit, the attacker inherits the legitimate user's identity and permissions. This affects deployments with JWT/OIDC authentication enabled. Fixed in v1.83.0.
A flaw was found in
GHSA
LiteLLM: Authentication bypass via OIDC userinfo cache key collision
ghsa·2026-04-03
CVE-2026-35030 [CRITICAL] CWE-287 LiteLLM: Authentication bypass via OIDC userinfo cache key collision
LiteLLM: Authentication bypass via OIDC userinfo cache key collision
### Impact
When JWT authentication is enabled (`enable_jwt_auth: true`), the OIDC userinfo cache uses `token[:20]` as the cache key. JWT headers produced by the same signing algorithm generate identical first 20 characters.
This configuration option is not enabled by default. **Most instances are not affected.**
An unauthenticated attacker can craft a token whose first 20 characters match a legitimate user's cached token. On cache hit, the attacker inherits the legitimate user's identity and permissions. This affects deployments with JWT/OIDC authentication enabled.
### Patches
Fixed in v1.83.0. The cache key now uses the full hash of the JWT token.
### Workarounds
Disable OIDC userinfo caching by setting the cach
OSV
LiteLLM: Authentication bypass via OIDC userinfo cache key collision
osv·2026-04-03
CVE-2026-35030 [CRITICAL] LiteLLM: Authentication bypass via OIDC userinfo cache key collision
LiteLLM: Authentication bypass via OIDC userinfo cache key collision
### Impact
When JWT authentication is enabled (`enable_jwt_auth: true`), the OIDC userinfo cache uses `token[:20]` as the cache key. JWT headers produced by the same signing algorithm generate identical first 20 characters.
This configuration option is not enabled by default. **Most instances are not affected.**
An unauthenticated attacker can craft a token whose first 20 characters match a legitimate user's cached token. On cache hit, the attacker inherits the legitimate user's identity and permissions. This affects deployments with JWT/OIDC authentication enabled.
### Patches
Fixed in v1.83.0. The cache key now uses the full hash of the JWT token.
### Workarounds
Disable OIDC userinfo caching by setting the cach
No detection rules found.
No public exploits indexed.
Wiz
CVE-2025-67494 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.3
CVE-2025-67494 [CRITICAL] CVE-2025-67494 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-67494 :
Chainguard vulnerability analysis and mitigation
ZITADEL is an open-source identity infrastructure tool. Versions 4.7.0 and below are vulnerable to an unauthenticated, full-read SSRF vulnerability. The ZITADEL Login UI (V2) treats the x-zitadel-forward-host header as a trusted fallback for all deployments, including self-hosted instances. This allows an unauthenticated attacker to force the server to make HTTP requests to arbitrary domains, such as internal addresses, and read the responses, enabling data exfiltration and bypassing network-segmentation controls. This issue is fixed in version 4.7.1.
Source : NVD
## 8.6
Score
Published December 9, 2025
Severity HIGH
CNA Score 9.3
Affected Technologies
Chainguard
Has Public Exploit Yes
Has CISA KEV Exploit N
Wiz
CVE-2026-27840 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.3
CVE-2026-27840 [MEDIUM] CVE-2026-27840 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27840 :
Chainguard vulnerability analysis and mitigation
:
token_id
v2_-at_
token_id
user_id
user_id
subject
oidc_session_id
access_token_id
user_id
user_id
Source : NVD
## 4.3
Score
Published February 26, 2026
Severity MEDIUM
CNA Score 4.3
Affected Technologies
Chainguard
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 5
Exploitation Probability (EPSS) N/A
Affected packages and libraries
github.com/zitadel/zitadel
zitadel
Sources
NVD
Chainguard No Fix Added at: Mar 02, 2026
GoLang Severity MEDIUM Has Fix Added at: Mar 02, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just wha
Wiz
CVE-2026-1188 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.9
CVE-2026-1188 [MEDIUM] CVE-2026-1188 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-1188 :
Chainguard vulnerability analysis and mitigation
In the Eclipse OMR port library component since release 0.2.0, an API function to return the textual names of all supported processor features was not accounting for the separator inserted between processor features. If the output buffer supplied to this function was incorrectly sized, failing to account for the separator when determining when a write to the buffer was safe could lead to a buffer overflow. This issue is fixed in Eclipse OMR version 0.8.0.
Source : NVD
## 6.9
Score
Published January 29, 2026
Severity MEDIUM
CNA Score 6.9
Affected Technologies
Chainguard
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 5.
Wiz
CVE-2026-22778 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-22778 [CRITICAL] CVE-2026-22778 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-22778 :
Chainguard vulnerability analysis and mitigation
vLLM is an inference and serving engine for large language models (LLMs). From 0.8.3 to before 0.14.1, when an invalid image is sent to vLLM's multimodal endpoint, PIL throws an error. vLLM returns this error to the client, leaking a heap address. With this leak, we reduce ASLR from 4 billion guesses to ~8 guesses. This vulnerability can be chained a heap overflow with JPEG2000 decoder in OpenCV/FFmpeg to achieve remote code execution. This vulnerability is fixed in 0.14.1.
Source : NVD
## 9.8
Score
Published February 2, 2026
Severity CRITICAL
CNA Score 9.8
Affected Technologies
Chainguard
vLLM
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Prob
Wiz
CVE-2026-22807 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.8
CVE-2026-22807 [HIGH] CVE-2026-22807 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-22807 :
Chainguard vulnerability analysis and mitigation
auto_map
trust_remote_code
Source : NVD
## 9.8
Score
Published January 21, 2026
Severity CRITICAL
CNA Score 8.8
Affected Technologies
Chainguard
vLLM
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 6.1
Exploitation Probability (EPSS) N/A
Affected packages and libraries
py3-vllm-cuda-12.4
tritonserver-backend-vllm-cuda-13.0
Sources
NVD
Chainguard Has Fix Added at: Jan 23, 2026
pip Severity HIGH Has Fix Added at: Jan 22, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related Chainguard vulnerabilities:
C
Wiz
CVE-2025-66451 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2025-66451 [MEDIUM] CVE-2025-66451 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-66451 :
Chainguard vulnerability analysis and mitigation
LibreChat is a ChatGPT clone with additional features. In versions 0.8.0 and below, when creating prompts, JSON requests are sent to define and modify the prompts via PATCH endpoint for prompt groups (/api/prompts/groups/:groupId). However, the request bodies are not sufficiently validated for proper input, enabling users to modify prompts in a way that was not intended as part of the front end system. The patchPromptGroup function passes req.body directly to updatePromptGroup() without filtering sensitive fields. This issue is fixed in version 0.8.1.
Source : NVD
## 5.3
Score
Published December 11, 2025
Severity MEDIUM
CNA Score 5.3
Affected Technologies
Chainguard
LibreChat
Has Public Exploit Yes
Has CISA
Wiz
CVE-2026-25922 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.8
CVE-2026-25922 [HIGH] CVE-2026-25922 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25922 :
Chainguard vulnerability analysis and mitigation
authentik is an open-source identity provider. Prior to 2025.8.6, 2025.10.4, and 2025.12.4, when using a SAML Source that has the option Verify Assertion Signature under Verification Certificate enabled and not Verify Response Signature, or does not have the Encryption Certificate setting under Advanced Protocol settings configured, it was possible for an attacker to inject a malicious assertion before the signed assertion that authentik would use instead. authentik 2025.8.6, 2025.10.4, and 2025.12.4 fix this issue.
Source : NVD
## 8.8
Score
Published February 12, 2026
Severity HIGH
CNA Score 8.8
Affected Technologies
Chainguard
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA K
Wiz
CVE-2025-69222 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.1
CVE-2025-69222 [CRITICAL] CVE-2025-69222 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-69222 :
Chainguard vulnerability analysis and mitigation
LibreChat is a ChatGPT clone with additional features. Version 0.8.1-rc2 is prone to a server-side request forgery (SSRF)
vulnerability due to missing restrictions of the Actions feature in the default configuration. LibreChat enables users to configure agents with predefined instructions and actions that can interact with remote services via OpenAPI specifications, supporting various HTTP methods, parameters, and authentication methods including custom headers. By default, there are no restrictions on accessible services, which means agents can also access internal components like the RAG API included in the default Docker Compose setup. This issue is fixed in version 0.8.1-rc2.
Source : NVD
## 8.1
Score
Publishe
Wiz
CVE-2026-25748 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.6
CVE-2026-25748 [HIGH] CVE-2026-25748 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25748 :
Chainguard vulnerability analysis and mitigation
authentik is an open-source identity provider. Prior to 2025.10.4 and 2025.12.4, with a malformed cookie it was possible to bypass authentication when using forward authentication in the authentik Proxy Provider when used in conjunction with Traefik or Caddy as reverse proxy. When a malicious cookie was used, none of the authentik-specific X-Authentik-* headers were set which depending on application can grant access to an attacker. authentik 2025.10.4 and 2025.12.4 fix this issue.
Source : NVD
## 7.5
Score
Published February 12, 2026
Severity HIGH
CNA Score 8.6
Affected Technologies
Chainguard
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Proba
Wiz
CVE-2026-22773 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.5
CVE-2026-22773 [MEDIUM] CVE-2026-22773 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-22773 :
Chainguard vulnerability analysis and mitigation
vLLM is an inference and serving engine for large language models (LLMs). In versions from 0.6.4 to before 0.12.0, users can crash the vLLM engine serving multimodal models that use the Idefics3 vision model implementation by sending a specially crafted 1x1 pixel image. This causes a tensor dimension mismatch that results in an unhandled runtime error, leading to complete server termination. This issue has been patched in version 0.12.0.
Source : NVD
## 7.5
Score
Published January 10, 2026
Severity HIGH
CNA Score 6.5
Affected Technologies
Chainguard
vLLM
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 5.5
Exploitat
Wiz
CVE-2026-31950 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2026-31950 [MEDIUM] CVE-2026-31950 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-31950 :
Chainguard vulnerability analysis and mitigation
/api/agents/chat/stream/:streamId
Source : NVD
## 5.3
Score
Published March 27, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
Chainguard
LibreChat
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 9.6
Exploitation Probability (EPSS) N/A
Affected packages and libraries
cpe:2.3:a:librechat:librechat
librechat
Sources
Chainguard No Fix Added at: Mar 31, 2026
Linux Severity MEDIUM Has Fix Added at: Mar 31, 2026
Windows Severity MEDIUM Has Fix Added at: Mar 31, 2026
Linux Severity MEDIUM Has Fix Added at: Apr 02, 2026
Windows Severity MEDIUM Has Fix Added at: Apr 02, 2026
## Get a CVE risk assessment
Wiz
CVE-2026-32131 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.7
CVE-2026-32131 [HIGH] CVE-2026-32131 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-32131 :
Chainguard vulnerability analysis and mitigation
ZITADEL is an open source identity management platform. Prior to 3.4.8 and 4.12.2, a vulnerability in Zitadel's Management API has been reported, which allowed authenticated users holding a valid low-privilege token (e.g., project.read, project.grant.read, or project.app.read) to retrieve management-plane information belonging to other organizations by specifying a different tenant’s project_id, grant_id, or app_id. This vulnerability is fixed in 3.4.8 and 4.12.2.
Source : NVD
## 7.7
Score
Published March 11, 2026
Severity HIGH
CNA Score 7.7
Affected Technologies
Chainguard
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EP
Wiz
CVE-2026-27482 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.9
CVE-2026-27482 [MEDIUM] CVE-2026-27482 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27482 :
Chainguard vulnerability analysis and mitigation
Ray is an AI compute engine. In versions 2.53.0 and below, thedashboard HTTP server blocks browser-origin POST/PUT but does not cover DELETE, and key DELETE endpoints are unauthenticated by default. If the dashboard/agent is reachable (e.g., --dashboard-host=0.0.0.0), a web page via DNS rebinding or same-network access can issue DELETE requests that shut down Serve or delete jobs without user interaction. This is a drive-by availability impact. The fix for this vulnerability is to update to Ray 2.54.0 or higher.
Source : NVD
## 6.5
Score
Published February 21, 2026
Severity MEDIUM
CNA Score 5.9
Affected Technologies
Chainguard
Ray
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CI
Wiz
CVE-2026-27945 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 2.1
CVE-2026-27945 [LOW] CVE-2026-27945 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27945 :
Chainguard vulnerability analysis and mitigation
ZITADEL is an open source identity management platform. Zitadel Action V2 (introduced as early preview in 2.59.0, beta in 3.0.0 and GA in 4.0.0) is a webhook based approach to allow developers act on API request to Zitadel and customize flows such the issue of a token. Zitadel's Action target URLs can point to local hosts, potentially allowing adversaries to gather internal network information and connect to internal services. When the URL points to a local host / IP address, an adversary might gather information about the internal network structure, the services exposed on internal hosts etc. This is sometimes called a Server-Side Request Forgery (SSRF). Zitadel Actions expect responses according to specific schemas, w
Wiz
CVE-2025-69221 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.3
CVE-2025-69221 [MEDIUM] CVE-2025-69221 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-69221 :
Chainguard vulnerability analysis and mitigation
LibreChat is a ChatGPT clone with additional features. Version 0.8.1-rc2 does not enforce proper access control when
querying agent permissions. An authenticated attacker can read the permissions of arbitrary agents, even if they have no permissions for this agent. LibreChat allows the configuration of agents that have a predefined set of instructions and context. Private agents are not visible to other users. However, if an attacker knows the agent ID, they can read the permissions of the agent including the permissions individually assigned to other users. This issue is fixed in version 0.8.2-rc2.
Source : NVD
## 4.3
Score
Published January 7, 2026
Severity MEDIUM
CNA Score 4.3
Affected Technologies
Chaingua
Wiz
CVE-2026-31943 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.5
CVE-2026-31943 [HIGH] CVE-2026-31943 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-31943 :
Chainguard vulnerability analysis and mitigation
isPrivateIP()
packages/api/src/auth/domain.ts
169.254.169.254
Source : NVD
## 8.5
Score
Published March 27, 2026
Severity HIGH
CNA Score 8.5
Affected Technologies
Chainguard
LibreChat
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 9.6
Exploitation Probability (EPSS) N/A
Affected packages and libraries
librechat
cpe:2.3:a:librechat:librechat
Sources
Chainguard Has Fix Added at: Mar 29, 2026
Linux Severity HIGH Has Fix Added at: Mar 29, 2026
Windows Severity HIGH Has Fix Added at: Mar 29, 2026
Linux Severity HIGH No Fix Added at: Apr 02, 2026
Windows Severity HIGH No Fix Added at: Apr 02, 2026
## Get a
Wiz
CVE-2026-33265 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.3
CVE-2026-33265 [MEDIUM] CVE-2026-33265 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33265 :
Chainguard vulnerability analysis and mitigation
In LibreChat 0.8.1-rc2, a logged-in user obtains a JWT for both the LibreChat API and the RAG API.
Source : NVD
## 9
Score
Published March 18, 2026
Severity CRITICAL
CNA Score 6.3
Affected Technologies
Chainguard
LibreChat
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 14.7
Exploitation Probability (EPSS) N/A
Affected packages and libraries
cpe:2.3:a:librechat:librechat
librechat
Sources
Chainguard No Fix Added at: Mar 19, 2026
Linux Severity CRITICAL Has Fix Added at: Mar 19, 2026
Windows Severity CRITICAL Has Fix Added at: Mar 19, 2026
Linux Severity CRITICAL Has Fix Added at: Mar 26, 2026
Windows Sever
Wiz
CVE-2025-41258 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.0
CVE-2025-41258 [HIGH] CVE-2025-41258 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-41258 :
Chainguard vulnerability analysis and mitigation
LibreChat version 0.8.1-rc2 uses the same JWT secret for the user session mechanism and RAG API which compromises the service-level authentication of the RAG API.
Source : NVD
## 8
Score
Published March 18, 2026
Severity HIGH
CNA Score 8.0
Affected Technologies
Chainguard
LibreChat
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11.4
Exploitation Probability (EPSS) N/A
Affected packages and libraries
librechat
cpe:2.3:a:librechat:librechat
Sources
Chainguard No Fix Added at: Mar 19, 2026
Linux Severity HIGH Has Fix Added at: Mar 19, 2026
Windows Severity HIGH Has Fix Added at: Mar 19, 2026
Linux Severity HI
Wiz
CVE-2026-35030 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.7
CVE-2026-35030 [HIGH] CVE-2026-35030 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-35030 :
Chainguard vulnerability analysis and mitigation
LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. Prior to 1.83.0, when JWT authentication is enabled (enable_jwt_auth: true), the OIDC userinfo cache uses token[:20] as the cache key. JWT headers produced by the same signing algorithm generate identical first 20 characters. This configuration option is not enabled by default. Most instances are not affected. An unauthenticated attacker can craft a token whose first 20 characters match a legitimate user's cached token. On cache hit, the attacker inherits the legitimate user's identity and permissions. This affects deployments with JWT/OIDC authentication enabled. Fixed in v1.83.0.
Source : NVD
## 9.4
Score
Published April 6, 202
Wiz
CVE-2026-33132 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2026-33132 [MEDIUM] CVE-2026-33132 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33132 :
Chainguard vulnerability analysis and mitigation
ZITADEL is an open source identity management platform. Versions prior to 3.4.9 and 4.0.0 through 4.12.2 allowed users to bypass organization enforcement during authentication. Zitadel allows applications to enforce an organzation context during authentication using scopes (urn:zitadel:iam:org:id:{id} and urn:zitadel:iam:org:domain:primary:{domainname}). If enforced, a user needs to be part of the required organization to sign in. While this was properly enforced for OAuth2/OIDC authorization requests in login V1, corresponding controls were missing for device authorization requests and all login V2 and OIDC API V2 endpoints.
This allowed users to bypass the restriction and sign in with users from other organizations. N
Wiz
CVE-2026-32132 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.4
CVE-2026-32132 [HIGH] CVE-2026-32132 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-32132 :
Chainguard vulnerability analysis and mitigation
ZITADEL is an open source identity management platform. Prior to 3.4.8 and 4.12.2, a potential vulnerability exists in Zitadel's passkey registration endpoints. This endpoint allows registering a new passkey using a previously retrieved code. An improper expiration check of the code, could allow an attacker to potentially register their own passkey and gain access to the victim's account. This vulnerability is fixed in 3.4.8 and 4.12.2.
Source : NVD
## 7.4
Score
Published March 11, 2026
Severity HIGH
CNA Score 7.4
Affected Technologies
Chainguard
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 12.3
Exploitation Proba
Wiz
CVE-2025-67495 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.0
CVE-2025-67495 [HIGH] CVE-2025-67495 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-67495 :
Chainguard vulnerability analysis and mitigation
ZITADEL is an open-source identity infrastructure tool. Versions 4.0.0-rc.1 through 4.7.0 are vulnerable to DOM-Based XSS through the Zitadel V2 logout endpoint. The /logout endpoint insecurely routes to a value that is supplied in the post_logout_redirect GET parameter. As a result, unauthenticated remote attacker can execute malicious JS code on Zitadel users’ browsers. To carry out an attack, multiple user sessions need to be active in the same browser, however, account takeover is mitigated when using Multi-Factor Authentication (MFA) or Passwordless authentication. This issue is fixed in version 4.7.1.
Source : NVD
## 6.1
Score
Published December 9, 2025
Severity MEDIUM
CNA Score 8.0
Affected Technologies
Wiz
CVE-2025-7105 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.7
CVE-2025-7105 [MEDIUM] CVE-2025-7105 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-7105 :
Chainguard vulnerability analysis and mitigation
/api/convos/fork
Source : NVD
## 5.7
Score
Published February 2, 2026
Severity MEDIUM
CNA Score 5.7
Affected Technologies
Chainguard
LibreChat
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 2.7
Exploitation Probability (EPSS) N/A
Affected packages and libraries
cpe:2.3:a:librechat:librechat
librechat
Sources
NVD
Chainguard Has Fix Added at: Feb 02, 2026
Linux Severity MEDIUM Has Fix Added at: Feb 24, 2026
Windows Severity MEDIUM Has Fix Added at: Feb 24, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Rel
Wiz
CVE-2026-31945 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.7
CVE-2026-31945 [HIGH] CVE-2026-31945 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-31945 :
Chainguard vulnerability analysis and mitigation
LibreChat is a ChatGPT clone with additional features. Versions 0.8.2-rc2 through 0.8.2 are vulnerable to a server-side request forgery (SSRF) attack when using agent actions or MCP. Although a previous SSRF vulnerability ( https://github.com/danny-avila/LibreChat/security/advisories/GHSA-rgjq-4q58-m3q8 ) was reported and patched, the fix only introduced hostname validation. It does not verify whether DNS resolution results in a private IP address. As a result, an attacker can still bypass the protection and gain access to internal resources, such as an internal RAG API or cloud instance metadata endpoints. Version 0.8.3-rc1 contains a patch.
Source : NVD
## 7.7
Score
Published March 27, 2026
Severity HIGH
CNA S
Wiz
CVE-2026-23511 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2026-23511 [MEDIUM] CVE-2026-23511 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-23511 :
Chainguard vulnerability analysis and mitigation
ZITADEL is an open source identity management platform. Prior to 4.9.1 and 3.4.6, a user enumeration vulnerability has been discovered in Zitadel's login interfaces. An unauthenticated attacker can exploit this flaw to confirm the existence of valid user accounts by iterating through usernames and userIDs. This vulnerability is fixed in 4.9.1 and 3.4.6.
Source : NVD
## 5.3
Score
Published January 15, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
Chainguard
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 5.6
Exploitation Probability (EPSS) N/A
Affected packages and libraries
github.com/zitadel/zitadel
zi
Wiz
CVE-2026-27893 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.8
CVE-2026-27893 [HIGH] CVE-2026-27893 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27893 :
Chainguard vulnerability analysis and mitigation
trust_remote_code=True
--trust-remote-code=False
Source : NVD
## 8.8
Score
Published March 27, 2026
Severity HIGH
CNA Score 8.8
Affected Technologies
Chainguard
vLLM
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 9.3
Exploitation Probability (EPSS) N/A
Affected packages and libraries
vllm
py3-vllm-cuda-12.4
Sources
NVD
Chainguard Has Fix Added at: Mar 31, 2026
pip Severity HIGH Has Fix Added at: Mar 29, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related Chainguard vulnerabilities:
CVE ID
Severity
Wiz
CVE-2026-2473 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.7
CVE-2026-2473 [HIGH] CVE-2026-2473 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-2473 :
Chainguard vulnerability analysis and mitigation
Predictable bucket naming in Vertex AI Experiments in Google Cloud Vertex AI from version 1.21.0 up to (but not including) 1.133.0 on Google Cloud Platform allows an unauthenticated remote attacker to achieve cross-tenant remote code execution, model theft, and poisoning via pre-creating predictably named Cloud Storage buckets (Bucket Squatting).
This vulnerability was patched and no customer action is needed.
Source : NVD
## 7.7
Score
Published February 20, 2026
Severity HIGH
CNA Score 7.7
Affected Technologies
Chainguard
Vertex AI SDK
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 53.2
Exploitation Probability (E
Wiz
CVE-2025-66452 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2025-66452 [MEDIUM] CVE-2025-66452 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-66452 :
Chainguard vulnerability analysis and mitigation
LibreChat is a ChatGPT clone with additional features. In versions 0.8.0 and below, there is no handler for JSON parsing errors; SyntaxError from express.json() includes user input in the error message, which gets reflected in responses. User input (including HTML/JavaScript) can be exposed in error responses, creating an XSS risk if Content-Type isn't strictly enforced. This issue does not have a fix at the time of publication.
Source : NVD
## 5.3
Score
Published December 11, 2025
Severity MEDIUM
CNA Score 5.3
Affected Technologies
Chainguard
LibreChat
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 16.4
Exploitat
Wiz
CVE-2026-29191 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.3
CVE-2026-29191 [CRITICAL] CVE-2026-29191 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-29191 :
Chainguard vulnerability analysis and mitigation
ZITADEL is an open source identity management platform. From version 4.0.0 to 4.11.1, a vulnerability in Zitadel's login V2 interface was discovered that allowed a possible account takeover via XSS in /saml-post Endpoint. This issue has been patched in version 4.12.0.
Source : NVD
## 9.3
Score
Published March 7, 2026
Severity CRITICAL
CNA Score 9.3
Affected Technologies
Chainguard
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 2.6
Exploitation Probability (EPSS) N/A
Affected packages and libraries
zitadel
github.com/zitadel/zitadel
Sources
NVD
Chainguard No Fix Added at: Mar 08, 2026
GoLang Severity CRITICAL
Wiz
CVE-2026-29193 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.2
CVE-2026-29193 [HIGH] CVE-2026-29193 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-29193 :
Chainguard vulnerability analysis and mitigation
ZITADEL is an open source identity management platform. From version 4.0.0 to 4.12.0, a vulnerability in Zitadel's login V2 UI allowed users to bypass login behavior and security policies and self-register new accounts or sign in using password even if corresponding options were disabled in their organizaton. This issue has been patched in version 4.12.1.
Source : NVD
## 8.2
Score
Published March 7, 2026
Severity HIGH
CNA Score 8.2
Affected Technologies
Chainguard
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 3
Exploitation Probability (EPSS) N/A
Affected packages and libraries
github.com/zitadel/zitadel
github.
Wiz
CVE-2026-22252 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.1
CVE-2026-22252 [CRITICAL] CVE-2026-22252 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-22252 :
Chainguard vulnerability analysis and mitigation
LibreChat is a ChatGPT clone with additional features. Prior to v0.8.2-rc2, LibreChat's MCP stdio transport accepts arbitrary commands without validation, allowing any authenticated user to execute shell commands as root inside the container through a single API request. This vulnerability is fixed in v0.8.2-rc2.
Source : NVD
## 9.9
Score
Published January 12, 2026
Severity CRITICAL
CNA Score 9.1
Affected Technologies
Chainguard
LibreChat
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 17.6
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
cpe:2.3:a:librechat:librechat
librechat
Sources
Chain
Wiz
CVE-2025-67717 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2025-67717 [MEDIUM] CVE-2025-67717 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-67717 :
Chainguard vulnerability analysis and mitigation
ZITADEL is an open-source identity infrastructure tool. Versions 2.44.0 through 3.4.4 and 4.0.0-rc.1 through 4.7.1 disclose the total number of instance users to authenticated users, regardless of their specific permissions. While this does not leak individual user data or PII, disclosing the total user count via the totalResult field constitutes an information disclosure vulnerability that may be sensitive in certain contexts. This issue is fixed in versions 3.4.5 and 4.7.2.
Source : NVD
## 5.3
Score
Published December 11, 2025
Severity MEDIUM
CNA Score 5.3
Affected Technologies
Chainguard
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probabili
Wiz
CVE-2026-32130 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2026-32130 [HIGH] CVE-2026-32130 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-32130 :
Chainguard vulnerability analysis and mitigation
ZITADEL is an open source identity management platform. From 2.68.0 to before 3.4.8 and 4.12.2, Zitadel provides a System for Cross-domain Identity Management (SCIM) API to provision users from external providers into Zitadel. Request to the API with URL-encoded path values were correctly routed but would bypass necessary authentication and permission checks. This allowed unauthenticated attackers to retrieve sensitive information such as names, email addresses, phone numbers, addresses, external IDs, and roles. Note that due to additional checks when manipulating data, an attacker could not modify or delete any user data. This vulnerability is fixed in 3.4.8 and 4.12.2.
Source : NVD
## 7.5
Score
Published March 1
Wiz
CVE-2026-31951 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.8
CVE-2026-31951 [MEDIUM] CVE-2026-31951 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-31951 :
Chainguard vulnerability analysis and mitigation
{{LIBRECHAT_OPENID_ACCESS_TOKEN}}
Source : NVD
## 5.7
Score
Published March 27, 2026
Severity MEDIUM
CNA Score 6.8
Affected Technologies
Chainguard
LibreChat
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 9.4
Exploitation Probability (EPSS) N/A
Affected packages and libraries
cpe:2.3:a:librechat:librechat
librechat
Sources
Chainguard No Fix Added at: Mar 29, 2026
Linux Severity MEDIUM Has Fix Added at: Mar 29, 2026
Windows Severity MEDIUM Has Fix Added at: Mar 29, 2026
Linux Severity MEDIUM No Fix Added at: Apr 02, 2026
Windows Severity MEDIUM No Fix Added at: Apr 02, 2026
## Get a CVE risk assessment
Wiz
CVE-2025-69220 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.1
CVE-2025-69220 [HIGH] CVE-2025-69220 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-69220 :
Chainguard vulnerability analysis and mitigation
LibreChat is a ChatGPT clone with additional features. Version 0.8.1-rc2 does not enforce proper access control for file uploads to an agents file context and file search. An authenticated attacker with access to the agent ID can change the behavior of arbitrary agents by uploading new files to the file context or file search, even if they have no permissions for this agent. This issue is fixed in version 0.8.2-rc2.
Source : NVD
## 5.9
Score
Published January 7, 2026
Severity MEDIUM
CNA Score 7.1
Affected Technologies
Chainguard
LibreChat
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11.6
Exploitation Probability
Wiz
CVE-2026-29192 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.7
CVE-2026-29192 [HIGH] CVE-2026-29192 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-29192 :
Chainguard vulnerability analysis and mitigation
ZITADEL is an open source identity management platform. From version 4.0.0 to 4.11.1, a vulnerability in Zitadel's login V2 interface was discovered that allowed a possible account takeover via Default URI Redirect. This issue has been patched in version 4.12.0.
Source : NVD
## 7.7
Score
Published March 7, 2026
Severity HIGH
CNA Score 7.7
Affected Technologies
Chainguard
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 2.5
Exploitation Probability (EPSS) N/A
Affected packages and libraries
github.com/zitadel/zitadel
github.com/zitadel/zitadel/v2
Sources
NVD
Chainguard No Fix Added at: Mar 08, 2026
GoLang Severi
Wiz
CVE-2026-31949 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.5
CVE-2026-31949 [MEDIUM] CVE-2026-31949 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-31949 :
Chainguard vulnerability analysis and mitigation
LibreChat is a ChatGPT clone with additional features. Prior to 0.8.3-rc1, a Denial of Service (DoS) vulnerability exists in the DELETE /api/convos endpoint that allows an authenticated attacker to crash the Node.js server process by sending malformed requests. The DELETE /api/convos route handler attempts to destructure req.body.arg without validating that it exists. The server crashes due to an unhandled TypeError that bypasses Express error handling middleware and triggers process.exit(1). This vulnerability is fixed in 0.8.3-rc1.
Source : NVD
## 6.5
Score
Published March 13, 2026
Severity MEDIUM
CNA Score 6.5
Affected Technologies
Chainguard
LibreChat
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA
Wiz
CVE-2026-5199 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.3
CVE-2026-5199 [MEDIUM] CVE-2026-5199 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-5199 :
Chainguard vulnerability analysis and mitigation
A writer role user in an attacker-controlled namespace could signal, delete, and reset workflows or activities in a victim namespace on the same cluster. Exploitation requires the attacker to know or guess specific victim workflow ID(s) and, for signal operations, signal names. This was due to a bug introduced in Temporal Server v1.29.0 which inadvertently allowed an attacker to control the namespace name value instead of using the server's own trusted name value within the batch activity code. The batch activity validated the namespace ID but did not cross-check the namespace name against the worker's bound namespace, allowing the per-namespace worker's privileged credentials to operate on an arbitrary namespace. Exploi
Wiz
CVE-2026-24779 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.1
CVE-2026-24779 [HIGH] CVE-2026-24779 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-24779 :
Chainguard vulnerability analysis and mitigation
MediaConnector
llm-d
llm-d
Source : NVD
## 7.1
Score
Published January 27, 2026
Severity HIGH
CNA Score 7.1
Affected Technologies
Chainguard
vLLM
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 4.8
Exploitation Probability (EPSS) N/A
Affected packages and libraries
vllm
tritonserver-backend-vllm-cuda-13.0
Sources
NVD
Chainguard Has Fix Added at: Mar 29, 2026
pip Severity HIGH Has Fix Added at: Jan 28, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related Chainguard vulnerabilities:
CVE ID
Severity
Wiz
CVE-2026-29067 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.1
CVE-2026-29067 [HIGH] CVE-2026-29067 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-29067 :
Chainguard vulnerability analysis and mitigation
ZITADEL is an open source identity management platform. From version 4.0.0-rc.1 to 4.7.0, a potential vulnerability exists in ZITADEL's password reset mechanism in login V2. ZITADEL utilizes the Forwarded or X-Forwarded-Host header from incoming requests to construct the URL for the password reset confirmation link. This link, containing a secret code, is then emailed to the user. This issue has been patched in version 4.7.1.
Source : NVD
## 9.3
Score
Published March 7, 2026
Severity CRITICAL
CNA Score 8.1
Affected Technologies
Chainguard
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 1.8
Exploitation Probability (E
Wiz
CVE-2025-66450 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.6
CVE-2025-66450 [HIGH] CVE-2025-66450 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-66450 :
Chainguard vulnerability analysis and mitigation
LibreChat is a ChatGPT clone with additional features. In versions 0.8.0 and below, when a user posts a question, the iconURL parameter of the POST request can be modified by an attacker. The malicious code is then stored in the chat which can then be shared to other users. When sharing chats with a potentially malicious “tracker”, resources loaded can lead to loss of privacy for users who view the chat link that is sent to them. This issue is fixed in version 0.8.1.
Source : NVD
## 8.6
Score
Published December 11, 2025
Severity HIGH
CNA Score 8.6
Affected Technologies
Chainguard
LibreChat
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probabil
Wiz
CVE-2026-27946 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.2
CVE-2026-27946 [HIGH] CVE-2026-27946 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27946 :
Chainguard vulnerability analysis and mitigation
ZITADEL is an open source identity management platform. Prior to versions 4.11.1 and 3.4.7, a vulnerability in Zitadel's self-management capability allowed users to mark their email and phone as verified without going through an actual verification process. The patch in versions 4.11.1 and 3.4.7 resolves the issue by requiring the correct permission in case the verification flag is provided and only allows self-management of the email address and/or phone number itself. If an upgrade is not possible, an action (v2) could be used to prevent setting the verification flag on the own user.
Source : NVD
## 8.2
Score
Published February 26, 2026
Severity HIGH
CNA Score 8.2
Affected Technologies
Chainguard
Has Public
Wiz
CVE-2026-25227 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.1
CVE-2026-25227 [CRITICAL] CVE-2026-25227 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25227 :
Chainguard vulnerability analysis and mitigation
authentik is an open-source identity provider. From 2021.3.1 to before 2025.8.6, 2025.10.4, and 2025.12.4, when using delegated permissions, a User that has the permission Can view * Property Mapping or Can view Expression Policy is able to execute arbitrary code within the authentik server container through the test endpoint, which is intended to preview how a property mapping/policy works. authentik 2025.8.6, 2025.10.4, and 2025.12.4 fix this issue.
Source : NVD
## 7.2
Score
Published February 12, 2026
Severity HIGH
CNA Score 9.1
Affected Technologies
Chainguard
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 14.7
Wiz
GHSA-5mg7-485q-xm76 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 3.5
[LOW] GHSA-5mg7-485q-xm76 Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-5mg7-485q-xm76 :
LiteLLM vulnerability analysis and mitigation
litellm
Source : NVD
Published March 25, 2026
Severity CRITICAL
CNA Score N/A
Affected Technologies
LiteLLM
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) N/A
Exploitation Probability (EPSS) N/A
Affected packages and libraries
litellm
Sources
NVD
pip Severity CRITICAL No Fix Added at: Mar 26, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related LiteLLM vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Published date
CVE-2026-35030
CRITICAL
9.4
Chainguard
Wiz
CVE-2026-31944 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.6
CVE-2026-31944 [HIGH] CVE-2026-31944 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-31944 :
Chainguard vulnerability analysis and mitigation
LibreChat is a ChatGPT clone with additional features. From 0.8.2 to 0.8.2-rc3, The MCP (Model Context Protocol) OAuth callback endpoint accepts the redirect from the identity provider and stores OAuth tokens for the user who initiated the flow, without verifying that the browser hitting the redirect URL is logged in or that the logged-in user matches the initiator. An attacker can send the authorization URL to a victim; when the victim completes the flow, the victim’s OAuth tokens are stored on the attacker’s LibreChat account, enabling account takeover of the victim’s MCP-linked services (e.g. Atlassian, Outlook). This vulnerability is fixed in 0.8.3-rc1.
Source : NVD
## 7.6
Score
Published March 13, 2026
Sever
Wiz
CVE-2026-23227 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.8
CVE-2026-23227 [HIGH] CVE-2026-23227 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-23227 :
Chainguard vulnerability analysis and mitigation
In the Linux kernel, the following vulnerability has been resolved:
drm/exynos: vidi: use ctx->lock to protect struct vidi_context member variables related to memory alloc/free
Exynos Virtual Display driver performs memory alloc/free operations
without lock protection, which easily causes concurrency problem.
For example, use-after-free can occur in race scenario like this:
CPU0 CPU1 CPU2
---- ---- ----
vidi_connection_ioctl()
if (vidi->connection) // true
drm_edid = drm_edid_alloc(); // alloc drm_edid
...
ctx->raw_edid = drm_edid;
...
drm_mode_getconnector()
drm_helper_probe_single_connector_modes()
vidi_get_modes()
if (ctx->raw_edid) // true
drm_edid_dup(ctx->raw_edid);
if (!drm_edid) // false
...
vidi_connection_
Wiz
CVE-2026-35029 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.7
CVE-2026-35029 [HIGH] CVE-2026-35029 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-35029 :
Chainguard vulnerability analysis and mitigation
LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. Prior to 1.83.0, the /config/update endpoint does not enforce admin role authorization. A user who is already authenticated into the platform can then use this endpoint to modify proxy configuration and environment variables, register custom pass-through endpoint handlers pointing to attacker-controlled Python code, achieving remote code execution, read arbitrary server files by setting UI_LOGO_PATH and fetching via /get_image, and take over other privileged accounts by overwriting UI_USERNAME and UI_PASSWORD environment variables. Fixed in v1.83.0.
Source : NVD
## 8.7
Score
Published April 6, 2026
Severity HIGH
CNA Score 8.7
Wiz
GHSA-69x8-hrgq-fjj8 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.4
[CRITICAL] GHSA-69x8-hrgq-fjj8 Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-69x8-hrgq-fjj8 :
LiteLLM vulnerability analysis and mitigation
## Impact
Three issues combine into a full authentication bypass chain:
Weak hashing: User passwords are stored as unsalted SHA-256 hashes, making them vulnerable to rainbow table attacks and trivially identifying users with identical passwords.
Hash exposure: Multiple API endpoints (/user/info, /user/update, /spend/users) return the password hash field in responses to any authenticated user regardless of role. Plaintext passwords could also potentially be exposed in certain scenarios.
Pass-the-hash: The /v2/login endpoint accepts the raw SHA-256 hash as a valid password without re-hashing, allowing direct login with a stolenAn already authenticated user can retrieve another user's password hash from the API and
Bugzilla
CVE-2026-35030 litellm: LiteLLM: Authentication bypass and privilege escalation via OIDC userinfo cache key collision
bugzilla·2026-04-06·CVSS 9.4
CVE-2026-35030 [CRITICAL] CVE-2026-35030 litellm: LiteLLM: Authentication bypass and privilege escalation via OIDC userinfo cache key collision
CVE-2026-35030 litellm: LiteLLM: Authentication bypass and privilege escalation via OIDC userinfo cache key collision
LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. Prior to 1.83.0, when JWT authentication is enabled (enable_jwt_auth: true), the OIDC userinfo cache uses token[:20] as the cache key. JWT headers produced by the same signing algorithm generate identical first 20 characters. This configuration option is not enabled by default. Most instances are not affected. An unauthenticated attacker can craft a token whose first 20 characters match a legitimate user's cached token. On cache hit, the attacker inherits the legitimate user's identity and permissions. This affects deployments with JWT/OIDC authentication enabled. Fixed in v1.83.0.
https://github.com/BerriAI/litellm/security/advisories/GHSA-jjhc-v7c2-5hh6https://access.redhat.com/errata/RHSA-2026:13545https://access.redhat.com/errata/RHSA-2026:28960https://access.redhat.com/errata/RHSA-2026:30056https://access.redhat.com/security/cve/CVE-2026-35030https://bugzilla.redhat.com/show_bug.cgi?id=2455509https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-35030.json
2026-04-06
Published