On 2026-06-16, a security advisory was published for LiteLLM, a popular library for interfacing with LLM API providers,...

On 2026-06-16, a security advisory was published for LiteLLM, a popular library for interfacing with LLM API providers, disclosing CVE-2026-49468: an authentication bypass via host header injection (OSV advisory). This vulnerability could allow attackers to bypass authentication mechanisms, potentially compromising API keys and sensitive data. Multiple PyPI releases occurred around the same time (versions 1.84.9 through 1.90.0rc1 from June 16 to June 21), suggesting active development but no explicit mention of a fix in the advisory or release notes. The lack of immediate patching and the severity of an authentication bypass represent a significant trust and security risk for developers and enterprises relying on LiteLLM in AI infrastructure workflows. This event lowers confidence in the library's security posture and may prompt migration to alternatives until a fix is confirmed.