A critical authentication bypass vulnerability (CVE-2026-49468) was published on June 16, 2026 in LiteLLM, an AI...

A critical authentication bypass vulnerability (CVE-2026-49468) was published on June 16, 2026 in LiteLLM, an AI gateway that manages model access and spend tracking across 100+ LLMs. The vulnerability allows attackers to bypass authentication via Host Header Injection, potentially exposing sensitive API keys and model access controls. The advisory is hosted on the Open Source Vulnerabilities (OSV) database (source). Notably, LiteLLM's PyPI releases show rapid iteration around this date (versions 1.84.7 through 1.89.1 between June 10 and June 17), which may indicate a fix is being rolled out. However, no official patch announcement has been confirmed. This vulnerability poses a security risk for organizations deploying LiteLLM to manage LLM access in production.