Berriai Litellm vulnerabilities
20 known vulnerabilities affecting berriai/litellm.
Total CVEs
20
CISA KEV
3
actively exploited
Public exploits
3
Exploited in wild
3
Severity breakdown
CRITICAL4HIGH11MEDIUM5
Vulnerabilities
Page 1 of 1
CVE-2026-42208P1CRITICALCVSS 9.8KEVPoCv>= 1.81.16, < 1.83.72026-05-08
CVE-2026-42208 [CRITICAL] CWE-89 CVE-2026-42208: LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. From version 1
LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. From version 1.81.16 to before version 1.83.7, a database query used during proxy API key checks mixed the caller-supplied key value into the query text instead of passing it as a separate parameter. An unauthenticated attacker could send a specially crafted Autho
nvd
CVE-2026-42271P1HIGHCVSS 8.8KEVPoCv>= 1.74.2, < 1.83.72026-05-08
CVE-2026-42271 [HIGH] CWE-77 CVE-2026-42271: LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. From version 1
LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. From version 1.74.2 to before version 1.83.7, two endpoints used to preview an MCP server before saving it — POST /mcp-rest/test/connection and POST /mcp-rest/test/tools/list — accepted a full server configuration in the request body, including the command, args, and
nvd
CVE-2026-33634P1HIGHCVSS 8.8KEVv>= 1.82.7, <= 1.82.82026-03-23
CVE-2026-33634 [HIGH] CWE-506 CVE-2026-33634: Trivy is a security scanner. On March 19, 2026, a threat actor used compromised credentials to publi
Trivy is a security scanner. On March 19, 2026, a threat actor used compromised credentials to publish a malicious Trivy v0.69.4 release, force-push 76 of 77 version tags in `aquasecurity/trivy-action` to credential-stealing malware, and replace all 7 tags in `aquasecurity/setup-trivy` with malicious commits. This incident is a continuation of the sup
nvd
CVE-2026-35029P2HIGHCVSS 8.8PoCfixed in 1.83.02026-04-06
CVE-2026-35029 [HIGH] CWE-863 CVE-2026-35029: LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. Prior to 1.83.
LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. Prior to 1.83.0, the /config/update endpoint does not enforce admin role authorization. A user who is already authenticated into the platform can then use this endpoint to modify proxy configuration and environment variables, register custom pass-through endpoint han
nvd
CVE-2026-35030P2CRITICALCVSS 9.1fixed in 1.83.02026-04-06
CVE-2026-35030 [CRITICAL] CWE-287 CVE-2026-35030: LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. Prior to 1.83.
LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. Prior to 1.83.0, when JWT authentication is enabled (enable_jwt_auth: true), the OIDC userinfo cache uses token[:20] as the cache key. JWT headers produced by the same signing algorithm generate identical first 20 characters. This configuration option is not enab
nvd
CVE-2026-12773P2CRITICALCVSS 9.8v1.59.0v1.59.1+7 more2026-06-21
CVE-2026-12773 [CRITICAL] CWE-287 CVE-2026-12773: A weakness has been identified in BerriAI litellm up to 1.59.8. Affected is the function UserAPIKeyA
A weakness has been identified in BerriAI litellm up to 1.59.8. Affected is the function UserAPIKeyAuth of the file litellm/proxy/_experimental/mcp_server/auth/user_api_key_auth_mcp.py of the component MCP Proxy. Executing a manipulation can lead to improper authentication. The attack may be launched remotely. The exploit has been made available t
nvd
CVE-2026-47102P2HIGHCVSS 8.8fixed in 1.83.102026-05-21
CVE-2026-47102 [HIGH] CWE-863 CVE-2026-47102: LiteLLM prior to 1.83.10 allows a user to modify their own user_role via the /user/update endpoint.
LiteLLM prior to 1.83.10 allows a user to modify their own user_role via the /user/update endpoint. While the endpoint correctly restricts users to updating only their own account, it does not restrict which fields may be changed. A user who can reach this endpoint can set their role to proxy_admin, gaining full administrative access to LiteLLM includi
nvd
CVE-2026-42203P2HIGHCVSS 8.8v>= 1.80.5, < 1.83.72026-05-08
CVE-2026-42203 [HIGH] CWE-1336 CVE-2026-42203: LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. From version 1
LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. From version 1.80.5 to before version 1.83.7, the POST /prompts/test endpoint accepted user-supplied prompt templates and rendered them without sandboxing. A crafted template could run arbitrary code inside the LiteLLM Proxy process. The endpoint only checks that th
nvd
CVE-2026-47101P2HIGHCVSS 8.8fixed in 1.83.142026-05-21
CVE-2026-47101 [HIGH] CWE-863 CVE-2026-47101: LiteLLM prior to 1.83.14 allows an authenticated internal_user to create API keys with access to rou
LiteLLM prior to 1.83.14 allows an authenticated internal_user to create API keys with access to routes that their role does not permit. When generating a key, the allowed_routes field is stored without verifying that the specified routes fall within the user's own permissions. A key created with access to admin-only routes can then be used to reach t
nvd
CVE-2026-40217P2HIGHCVSS 8.8vbb0639701796218a3447160e55c0f1097446e4e6085df7dfd39f476d4143743f2026-04-10
CVE-2026-40217 [HIGH] CWE-420 CVE-2026-40217: LiteLLM through 2026-04-08 allows remote attackers to execute arbitrary code via bytecode rewriting
LiteLLM through 2026-04-08 allows remote attackers to execute arbitrary code via bytecode rewriting at the /guardrails/test_custom_code URI.
nvd
CVE-2026-12770P3HIGHCVSS 8.8v1.63.0v1.63.12026-06-21
CVE-2026-12770 [HIGH] CWE-266 CVE-2026-12770: A vulnerability was determined in BerriAI litellm up to 1.63.1. The impacted element is an unknown f
A vulnerability was determined in BerriAI litellm up to 1.63.1. The impacted element is an unknown function of the file litellm/proxy/management_endpoints/key_management_endpoints.py of the component Admin Key Handler. This manipulation causes improper authorization. The attack can be initiated remotely. The exploit has been publicly disclosed and may
nvd
CVE-2026-12771P3HIGHCVSS 7.5v1.82.0v1.82.1+1 more2026-06-21
CVE-2026-12771 [HIGH] CWE-266 CVE-2026-12771: A vulnerability was identified in BerriAI litellm up to 1.82.2. This affects an unknown function of
A vulnerability was identified in BerriAI litellm up to 1.82.2. This affects an unknown function of the file litellm/proxy/auth/user_api_key_auth.py of the component M2M JWT Handler. Such manipulation leads to improper authorization. The attack can be launched remotely. A high complexity level is associated with this attack. The exploitability is repor
nvd
CVE-2026-49468P3CRITICALCVSS 9.8fixed in 1.84.02026-06-22
CVE-2026-49468 [CRITICAL] CWE-290 CVE-2026-49468: LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. Prior to 1.84.
LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. Prior to 1.84.0, This vulnerability is fixed in 1.84.0.
nvd
CVE-2026-12795P3HIGHCVSS 7.3v1.82.0v1.82.1+1 more2026-06-21
CVE-2026-12795 [HIGH] CWE-287 CVE-2026-12795: A vulnerability was determined in BerriAI litellm up to 1.82.2. This affects the function json.dumps
A vulnerability was determined in BerriAI litellm up to 1.82.2. This affects the function json.dumps of the file litellm/proxy/management_endpoints/ui_sso.py of the component SSO Debug Flow. Executing a manipulation can lead to missing authentication. The attack can be executed remotely. The exploit has been publicly disclosed and may be utilized. The
nvd
CVE-2025-0628P3HIGHCVSS 8.1v1.82.0v1.82.1+1 more2025-03-20
CVE-2025-0628 [HIGH] CWE-266 CVE-2025-0628: An improper authorization vulnerability exists in the main-latest version of BerriAI/litellm. When a
An improper authorization vulnerability exists in the main-latest version of BerriAI/litellm. When a user with the role 'internal_user_viewer' logs into the application, they are provided with an overly privileged API key. This key can be used to access all the admin functionality of the application, including endpoints such as '/users/list' and '/users
nvd
CVE-2026-12796P3MEDIUMCVSS 6.3v1.82.0v1.82.1+1 more2026-06-21
CVE-2026-12796 [MEDIUM] CWE-613 CVE-2026-12796: A vulnerability was identified in BerriAI litellm up to 1.82.2. This impacts the function get_redire
A vulnerability was identified in BerriAI litellm up to 1.82.2. This impacts the function get_redirect_response_from_openid of the file litellm/proxy/management_endpoints/ui_sso.py of the component SSO Authentication Flow. The manipulation leads to session expiration. The attack is possible to be carried out remotely. The exploit is publicly availab
nvd
CVE-2026-12772P3MEDIUMCVSS 6.3v1.82.0v1.82.1+1 more2026-06-21
CVE-2026-12772 [MEDIUM] CWE-613 CVE-2026-12772: A security flaw has been discovered in BerriAI litellm up to 1.82.2. This impacts the function authe
A security flaw has been discovered in BerriAI litellm up to 1.82.2. This impacts the function authenticate_user of the file litellm/proxy/auth/login_utils.py of the component PROXY_ADMIN database API Key Generator. Performing a manipulation results in session expiration. The attack may be initiated remotely. The exploit has been released to the pub
nvd
CVE-2026-12798P3MEDIUMCVSS 6.3v1.82.0v1.82.1+1 more2026-06-21
CVE-2026-12798 [MEDIUM] CWE-918 CVE-2026-12798: A weakness has been identified in BerriAI litellm up to 1.82.2. Affected by this vulnerability is th
A weakness has been identified in BerriAI litellm up to 1.82.2. Affected by this vulnerability is the function load_openapi_spec_async of the file litellm/proxy/_experimental/mcp_server/openapi_to_mcp_generator.py of the component MCP OpenAPI Spec Loader. This manipulation of the argument spec_path causes server-side request forgery. It is possible
nvd
CVE-2026-12797P3MEDIUMCVSS 6.3v1.82.0v1.82.1+4 more2026-06-21
CVE-2026-12797 [MEDIUM] CWE-285 CVE-2026-12797: A security flaw has been discovered in BerriAI litellm up to 1.82.5. Affected is the function async_
A security flaw has been discovered in BerriAI litellm up to 1.82.5. Affected is the function async_pre_call_hook of the file enterprise/enterprise_hooks/banned_keywords.py of the component Completions Interface. The manipulation of the argument prompt results in incorrect authorization. The attack may be performed from remote. The exploit has been
nvd
CVE-2026-12774P3MEDIUMCVSS 6.3v1.82.0v1.82.1+1 more2026-06-21
CVE-2026-12774 [MEDIUM] CWE-918 CVE-2026-12774: A security vulnerability has been detected in BerriAI litellm up to 1.82.2. Affected by this vulnera
A security vulnerability has been detected in BerriAI litellm up to 1.82.2. Affected by this vulnerability is the function _execute_with_mcp_client of the file litellm/proxy/_experimental/mcp_server/rest_endpoints.py of the component MCP Server Connection Testing. The manipulation leads to server-side request forgery. Remote exploitation of the atta
nvd