← signals
2026-07-11·LITELLM·security risk
highdown

Between June 29 and July 7, 2026, the Open Source Vulnerability (OSV) database published 16 advisories for the LiteLLM...

Between June 29 and July 7, 2026, the Open Source Vulnerability (OSV) database published 16 advisories for the LiteLLM library, covering critical security flaws such as authentication bypass (CVE-2026-49468), remote code execution (CVE-2026-42208, CVE-2024-6825), arbitrary file deletion (CVE-2024-4888), SQL injection (CVE-2024-4890, CVE-2024-5225), server-side request forgery (CVE-2024-6587), and API key leakage (CVE-2024-9606).

window 30devidence 19confidence score 100

confidence score

Strong evidence: 2 independent source classes support this read.

100
high confidence2 independent source classesotherpasses publish gate

signal brief

Between June 29 and July 7, 2026, the Open Source Vulnerability (OSV) database published 16 advisories for the LiteLLM library, covering critical security flaws such as authentication bypass (CVE-2026-49468), remote code execution (CVE-2026-42208, CVE-2024-6825), arbitrary file deletion (CVE-2024-4888), SQL injection (CVE-2024-4890, CVE-2024-5225), server-side request forgery (CVE-2024-6587), and API key leakage (CVE-2024-9606). These vulnerabilities affect versions prior to the latest release (1.91.2) and could allow attackers to compromise systems using LiteLLM, steal sensitive data, or execute arbitrary code. The rapid disclosure of multiple high-severity issues signals significant security debt in the project, potentially eroding developer trust and slowing adoption. The PyPI release 1.91.2 (July 11) may include fixes, but the surge in CVEs suggests ongoing risk.

What the sources said:

  • OSV advisory GHSA-4xpc-pv4p-pm3w (June 16): "LiteLLM: Authentication Bypass via Host Header Injection" (source)
  • OSV advisory PYSEC-2026-1541 (July 7): "LiteLLM Vulnerable to Remote Code Execution (RCE)" (source)
  • OSV advisory PYSEC-2026-1546 (July 7): "LiteLLM Has an Improper Authorization Vulnerability" (source)
  • OSV advisory PYSEC-2026-391 (June 29): "LiteLLM has SQL Injection in Proxy API key verification" (source)

source data used

Decision support, not stock advice. This signal is research with cited evidence — not a recommendation to buy, sell, or hold any security.