Between June 16 and June 29, 2026, multiple OSV advisories (sources 2-7) disclosed severe vulnerabilities in LiteLLM, a...

Between June 16 and June 29, 2026, multiple OSV advisories (sources 2-7) disclosed severe vulnerabilities in LiteLLM, a popular LLM API proxy library. The advisories include: authentication bypass via Host Header Injection (CVE-2026-49468), Server-Side Template Injection in /completions (CVE-2024-2952), remote code execution via unsafe eval (CVE-2024-5751), authentication bypass via OIDC userinfo cache key collision (CVE-2026-35030), and SQL Injection in Proxy API key verification (CVE-2026-42208). All are scored with high severity. The next day, June 30, a new release 1.90.1 (source 1) was published on PyPI, which likely includes patches, but the disclosure of these CVEs undermines trust in the software's security posture. Organizations using LiteLLM are exposed to potential credential theft, data breaches, and unauthorized access. This represents a significant security risk for the AI proxy layer, potentially driving users to alternative solutions or requiring urgent patching. The direction is down for LiteLLM's reputation and adoption confidence.