LiteLLM
LiteLLM is an AI gateway and LLM proxy server maintained by BerriAI. It translates requests to a unified OpenAI-compatible format and proxies them to downstream providers. NVD tracks it under the litellm:litellm CPE namespace. A cluster of critical CVEs in versions 1.80.5 through 1.83.6 includes unauthenticated SQL injection, template injection RCE, JWT auth bypass, and a command injection flaw (CVE-2026-42271) added to the CISA KEV catalog on June 8, 2026.
Querying LiteLLM
litellm1.82.0, 1.74.2, 1.83.7curl "https://api.attestd.io/v1/check?product=litellm&version=1.82.0" \
-H "Authorization: Bearer $ATTESTD_KEY"Version 1.82.0 falls within the affected range for six CVEs including CVE-2026-42208 (unauthenticated SQL injection, CVSS 9.8) and the CISA KEV entry CVE-2026-42271 (command injection via MCP stdio transport, CVSS 8.8). The aggregated response reflects the worst-case risk across all applicable CVEs.
{
"product": "litellm",
"version": "1.82.0",
"supported": true,
"risk_state": "critical",
"risk_factors": [
"active_exploitation",
"remote_code_execution",
"no_authentication_required",
"patch_available"
],
"actively_exploited": true,
"remote_exploitable": true,
"authentication_required": false,
"patch_available": true,
"fixed_version": "1.83.7",
"confidence": 0.85,
"cve_ids": [
"CVE-2026-42208",
"CVE-2026-42271",
"CVE-2026-35030",
"CVE-2026-35029",
"CVE-2026-42203",
"CVE-2026-40217"
],
"last_updated": "2026-06-09T20:06:13Z",
"supply_chain": null
}Version 1.83.7 patches all six CVEs in the 1.80.5 through 1.83.6 cluster, including CVE-2026-42271 (CISA KEV).
curl "https://api.attestd.io/v1/check?product=litellm&version=1.83.7" \
-H "Authorization: Bearer $ATTESTD_KEY"CVE history
LiteLLM accumulated six high and critical CVEs between April and May 2026, all patched in version 1.83.7. CVE-2026-42271 was added to the CISA Known Exploited Vulnerabilities catalog on June 8, 2026.
| CVE | Description | Affects | CVSS |
|---|---|---|---|
CVE-2026-42208 | A database query during proxy API key checks interpolates the caller-supplied key into query text instead of using a parameterized query. An unauthenticated attacker sends a crafted Authorization header to any LLM route, reaches this query via the error-handling path, and reads or modifies data in the proxy database including stored provider credentials. | 1.81.16 to 1.83.6 | 9.8 |
CVE-2026-35030 | When JWT authentication is enabled, the OIDC userinfo cache uses token[:20] as the cache key. An unauthenticated attacker crafts a token whose first 20 characters match a cached legitimate token, triggering a cache hit that grants the attacker the cached user's identity and permissions. | all < 1.83.0 | 9.1 |
CVE-2026-42271KEV | The POST /mcp-rest/test/connection and POST /mcp-rest/test/tools/list endpoints accept a full MCP server configuration including command, args, and env for stdio transport. Any authenticated user with a valid proxy API key can supply a command that executes as a subprocess on the proxy host, achieving arbitrary command execution. | 1.74.2 to 1.83.6 | 8.8 |
CVE-2026-35029 | The /config/update endpoint does not enforce admin role authorization. Any authenticated user can modify proxy configuration and environment variables, register attacker-controlled Python code as pass-through endpoint handlers to achieve remote code execution, read arbitrary files by overwriting UI_LOGO_PATH, and take over privileged accounts by overwriting UI_USERNAME and UI_PASSWORD. | all < 1.83.0 | 8.8 |
CVE-2026-42203 | The POST /prompts/test endpoint renders user-supplied prompt templates without sandboxing. A crafted template executes arbitrary code inside the LiteLLM proxy process, exposing provider API keys, database credentials, and other secrets from the process environment. | 1.80.5 to 1.83.6 | 8.8 |
CVE-2024-4888 | The /audio/transcriptions endpoint passes the caller-supplied filename directly to os.remove() without path validation or authorization checks. Any user can delete arbitrary files on the server including SSH keys, SQLite databases, and configuration files. | all < 1.35.18 | 8.1 |
KEV = CISA Known Exploited Vulnerabilities catalog. Active exploitation confirmed.
CPE namespace
NVD assigns LiteLLM CVEs to the litellm:litellm CPE namespace, not the GitHub organization name (BerriAI). The CISA KEV entry names the product as “BerriAI LiteLLM” but the NVD CPE string uses the lowercase package name as both vendor and product.
cpe:2.3:a:litellm:litellmAttestd queries this namespace with a keyword filter of “LiteLLM” to scope NVD results to LiteLLM core CVEs and exclude unrelated matches.