A wave of critical security vulnerabilities has been disclosed for LiteLLM, an open-source LLM API proxy library,...
A wave of critical security vulnerabilities has been disclosed for LiteLLM, an open-source LLM API proxy library, primarily via OSV advisories between June 29 and July 13, 2026.
confidence score
Strong evidence: 2 independent source classes support this read.
signal brief
A wave of critical security vulnerabilities has been disclosed for LiteLLM, an open-source LLM API proxy library, primarily via OSV advisories between June 29 and July 13, 2026. The disclosed CVEs include remote code execution (CVE-2024-8984, CVE-2026-42271), SQL injection (CVE-2024-4890, CVE-2024-5225), authentication bypass via host header injection (CVE-2026-49468), privilege escalation (CVE-2026-35029), and sandbox escape in custom-code guardrails (CVE-2026-40217). These vulnerabilities affect critical security boundaries and could allow attackers to execute arbitrary code, access sensitive data, or escalate privileges. The concentration of disclosures suggests a systemic security review or researcher focus. For users relying on LiteLLM as a proxy gateway to LLM providers, these issues pose a direct trust and operational risk, potentially driving users to alternative solutions or requiring urgent patching. The library's PyPI release 1.92.0 (July 12) may or may not address these CVEs; the advisory dates indicate many were published after that release. The cumulative effect undermines LiteLLM's reliability in production AI infrastructure.
What the sources said:
- "LiteLLM: Authentication Bypass via Host Header Injection" (OSV advisory GHSA-4xpc-pv4p-pm3w).
- "LiteLLM Vulnerable to Remote Code Execution (RCE)" (OSV advisory PYSEC-2026-1541).
- "LiteLLM: Privilege escalation via unrestricted proxy configuration endpoint" (OSV advisory PYSEC-2026-2597).
- "SQL injection in litellm" (OSV advisory PYSEC-2026-1544).
source data used
“Library to easily interface with LLM API providers”
“Aliases: CVE-2026-49468, PYSEC-2026-388 LiteLLM: Authentication Bypass via Host Header Injection”
“Aliases: CVE-2024-4888, GHSA-3xr8-qfvj-9p9j Arbitrary file deletion in litellm”
“Aliases: CVE-2024-6825, GHSA-53gh-p8jc-7rg8 LiteLLM Vulnerable to Remote Code Execution (RCE)”
“Aliases: CVE-2024-4264, GHSA-7ggm-4rjg-594w litellm passes untrusted data to `eval` function without sanitization”
“Aliases: CVE-2025-0330, GHSA-879v-fggm-vxw2 LiteLLM Has a Leakage of Langfuse API Keys”
“Aliases: CVE-2024-4890, GHSA-8j42-pcfm-3467 SQL injection in litellm”
“Aliases: CVE-2024-8984, GHSA-fh2c-86xm-pm2x LiteLLM Vulnerable to Denial of Service (DoS) via Crafted HTTP Request”
“Aliases: CVE-2025-0628, GHSA-fjcf-3j3r-78rp LiteLLM Has an Improper Authorization Vulnerability”
“Aliases: CVE-2024-6587, GHSA-g26j-5385-hhw3 LiteLLM Server-Side Request Forgery (SSRF) vulnerability”
“Aliases: CVE-2024-9606, GHSA-g5pg-73fc-hjwq LiteLLM Reveals Portion of API Key via a Logging File”
“Aliases: CVE-2024-10188, GHSA-gw2q-qw9j-rgv7 LiteLLM Vulnerable to Denial of Service (DoS)”
“Aliases: CVE-2024-5225, GHSA-h6m6-jj8v-94jj SQL injection in litellm”
“Aliases: CVE-2024-5710, GHSA-qqcv-vg9f-5rr3 litellm vulnerable to improper access control in team management”
“Aliases: CVE-2026-35029, GHSA-53mr-6c8q-9789 LiteLLM: Privilege escalation via unrestricted proxy configuration endpoint”
“Aliases: CVE-2026-47101, GHSA-qrc4-49gv-mv9m LiteLLM allows an authenticated internal_user to create API keys with access to routes that their role does not permit”
“Aliases: CVE-2026-42271, GHSA-v4p8-mg3p-g94g LiteLLM: Authenticated command execution via MCP stdio test endpoints”
“Aliases: CVE-2026-47102, GHSA-wpfp-gwwc-vwq6 LiteLLM allows a user to modify their own user_role via the /user/update endpoint”
“Aliases: CVE-2026-40217, GHSA-wxxx-gvqv-xp7p LiteLLM has a sandbox escape in custom-code guardrail”
“Aliases: CVE-2026-42203, GHSA-xqmj-j6mv-4862 LiteLLM: Server-Side Template Injection in /prompts/test endpoint”
“Aliases: CVE-2024-2952, GHSA-46cm-pfwv-cgf8 LiteLLM has Server-Side Template Injection vulnerability in /completions endpoint”
“Aliases: CVE-2026-49468, GHSA-4xpc-pv4p-pm3w LiteLLM: Authentication Bypass via Host Header Injection”
“Aliases: CVE-2024-5751, GHSA-gppg-gqw8-wh9g litellm vulnerable to remote code execution based on using eval unsafely”
“Aliases: CVE-2026-35030, GHSA-jjhc-v7c2-5hh6 LiteLLM: Authentication bypass via OIDC userinfo cache key collision”
“Aliases: CVE-2026-42208, GHSA-r75f-5x8p-qvmc LiteLLM has SQL Injection in Proxy API key verification”
Decision support, not stock advice. This signal is research with cited evidence — not a recommendation to buy, sell, or hold any security.