cbcvebase.
CVE-2026-42203
published 2026-05-08

CVE-2026-42203: LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. From version 1.80.5 to before version 1.83.7, the POST /prompts/test…

PriorityP262high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
0.37%
29.2th percentile
LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. From version 1.80.5 to before version 1.83.7, the POST /prompts/test endpoint accepted user-supplied prompt templates and rendered them without sandboxing. A crafted template could run arbitrary code inside the LiteLLM Proxy process. The endpoint only checks that the caller presents a valid proxy API key, so any authenticated user could reach it. Depending on how the proxy is deployed, this could expose secrets in the process environment (such as provider API keys or database credentials) and allow commands to be run on the host. This issue has been patched in version 1.83.7.

Affected

5 ranges
VendorProductVersion rangeFixed in
ansible-automation-platform-26lightspeed-chatbot-rhel9
berriailitellm
exploit-intelligence-tech-previewvulnerability-analysis-rhel9
litellmlitellm>= 1.80.5 < 1.83.71.83.7
rhoaiodh-llama-stack-core-rhel9

Detection & IOCsextracted from sources · hover to see the quote

  • Monitor for POST requests to the /prompts/test endpoint on LiteLLM Proxy instances, especially those containing template injection payloads
  • Alert on any authenticated API calls to POST /prompts/test that include template syntax (e.g., Jinja2-style {{ }}, {% %} constructs) which may indicate exploitation attempts
  • Audit LiteLLM Proxy process environment for unexpected access to secrets (provider API keys, database credentials) which may indicate post-exploitation activity
  • ·The vulnerable endpoint only requires a valid proxy API key for access — any authenticated user can reach it, meaning the attack surface includes all authenticated users, not just privileged ones

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv4.08.6HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vendor_redhat8.6HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.