A recent OSV advisory (GHSA-4xpc-pv4p-pm3w) reveals that LiteLLM, an AI gateway for LLM access, is affected by...

A recent OSV advisory (GHSA-4xpc-pv4p-pm3w) reveals that LiteLLM, an AI gateway for LLM access, is affected by CVE-2026-49468, an authentication bypass via Host Header Injection. This vulnerability could allow attackers to bypass authentication mechanisms, potentially leading to unauthorized access to API keys, sensitive data, or model usage. The advisory was published on 2026-06-16, and a release candidate (1.91.0rc1) was made available shortly after on PyPI (PyPI release), suggesting a fix may be in progress. However, the exposure window and the lack of a stable patched release indicate a near-term risk for users. The vulnerability is classified as high severity (CVSS score may be inferred from the type of bypass). For a tool that manages model access and spend tracking across 100+ LLMs, such a security flaw can erode trust and adoption. While no active exploitation is reported, the disclosure itself is a negative signal for the platform's security posture and could prompt customers to delay deployment or seek alternatives. This event is aligned with AI-infrastructure security risks but is single-source and low confidence due to the absence of confirmed impact or exploitation.