← signals
2026-07-04·LITELLM·security risk
highdown

Multiple security advisories have been published for LiteLLM, an open-source library for interfacing with LLM API...

Multiple security advisories have been published for LiteLLM, an open-source library for interfacing with LLM API providers.

window 15devidence 7confidence score 100

confidence score

Strong evidence: 2 independent source classes support this read.

100
high confidence2 independent source classesotherpasses publish gate

signal brief

Multiple security advisories have been published for LiteLLM, an open-source library for interfacing with LLM API providers. The vulnerabilities include authentication bypass via host header injection (CVE-2026-49468), server-side template injection in the /completions endpoint (CVE-2024-2952), remote code execution via unsafe eval (CVE-2024-5751), authentication bypass via OIDC userinfo cache key collision (CVE-2026-35030), and SQL injection in proxy API key verification (CVE-2026-42208). These vulnerabilities pose significant security risks to users, potentially allowing unauthorized access, privilege escalation, or data breaches. The advisories were published on OSV.dev between June 16 and June 29, 2026. A new PyPI release, litellm 1.90.3, was made on July 3, 2026, which may include fixes, but the advisories indicate that prior versions are affected.

What the sources said:

source data used

Decision support, not stock advice. This signal is research with cited evidence — not a recommendation to buy, sell, or hold any security.