Between June 29 and July 17, 2026, 23 CVEs were published for LiteLLM, an open-source LLM API gateway, spanning RCE,...
Between June 29 and July 17, 2026, 23 CVEs were published for LiteLLM, an open-source LLM API gateway, spanning RCE, SQL injection, authentication bypass, sandbox escape, arbitrary file deletion, and API key leakage.
confidence score
Strong evidence: 2 independent source classes support this read.
signal brief
Between June 29 and July 17, 2026, 23 CVEs were published for LiteLLM, an open-source LLM API gateway, spanning RCE, SQL injection, authentication bypass, sandbox escape, arbitrary file deletion, and API key leakage. The severity is underscored by multiple remote code execution advisories (PYSEC-2026-1541, PYSEC-2026-389, PYSEC-2026-1552) and a high-speed disclosure of privilege escalation (e.g., PYSEC-2026-2597, PYSEC-2026-2600). This volume of critical flaws in a short period signals significant security hygiene issues. Enterprises using LiteLLM in production face urgent patching pressure and potential trust erosion. The publication of a dev release (1.94.0.dev3) on July 17 suggests ongoing remediation, but the backlog of unpatched vulnerabilities poses immediate operational risk.
What the sources said:
- OSV advisory PYSEC-2026-1541: "LiteLLM Vulnerable to Remote Code Execution (RCE)" (https://osv.dev/vulnerability/PYSEC-2026-1541)
- OSV advisory PYSEC-2026-2597: "LiteLLM: Privilege escalation via unrestricted proxy configuration endpoint" (https://osv.dev/vulnerability/PYSEC-2026-2597)
- OSV advisory PYSEC-2026-2601: "LiteLLM has a sandbox escape in custom-code guardrail" (https://osv.dev/vulnerability/PYSEC-2026-2601)
- OSV advisory PYSEC-2026-388: "LiteLLM: Authentication Bypass via Host Header Injection" (https://osv.dev/vulnerability/PYSEC-2026-388)
source data used
“Library to easily interface with LLM API providers”
“Aliases: CVE-2024-4888, GHSA-3xr8-qfvj-9p9j Arbitrary file deletion in litellm”
“Aliases: CVE-2024-6825, GHSA-53gh-p8jc-7rg8 LiteLLM Vulnerable to Remote Code Execution (RCE)”
“Aliases: CVE-2024-4264, GHSA-7ggm-4rjg-594w litellm passes untrusted data to `eval` function without sanitization”
“Aliases: CVE-2025-0330, GHSA-879v-fggm-vxw2 LiteLLM Has a Leakage of Langfuse API Keys”
“Aliases: CVE-2024-4890, GHSA-8j42-pcfm-3467 SQL injection in litellm”
“Aliases: CVE-2024-8984, GHSA-fh2c-86xm-pm2x LiteLLM Vulnerable to Denial of Service (DoS) via Crafted HTTP Request”
“Aliases: CVE-2025-0628, GHSA-fjcf-3j3r-78rp LiteLLM Has an Improper Authorization Vulnerability”
“Aliases: CVE-2024-6587, GHSA-g26j-5385-hhw3 LiteLLM Server-Side Request Forgery (SSRF) vulnerability”
“Aliases: CVE-2024-9606, GHSA-g5pg-73fc-hjwq LiteLLM Reveals Portion of API Key via a Logging File”
“Aliases: CVE-2024-10188, GHSA-gw2q-qw9j-rgv7 LiteLLM Vulnerable to Denial of Service (DoS)”
“Aliases: CVE-2024-5225, GHSA-h6m6-jj8v-94jj SQL injection in litellm”
“Aliases: CVE-2024-5710, GHSA-qqcv-vg9f-5rr3 litellm vulnerable to improper access control in team management”
“Aliases: CVE-2026-35029, GHSA-53mr-6c8q-9789 LiteLLM: Privilege escalation via unrestricted proxy configuration endpoint”
“Aliases: CVE-2026-47101, GHSA-qrc4-49gv-mv9m LiteLLM allows an authenticated internal_user to create API keys with access to routes that their role does not permit”
“Aliases: CVE-2026-42271, GHSA-v4p8-mg3p-g94g LiteLLM: Authenticated command execution via MCP stdio test endpoints”
“Aliases: CVE-2026-47102, GHSA-wpfp-gwwc-vwq6 LiteLLM allows a user to modify their own user_role via the /user/update endpoint”
“Aliases: CVE-2026-40217, GHSA-wxxx-gvqv-xp7p LiteLLM has a sandbox escape in custom-code guardrail”
“Aliases: CVE-2026-42203, GHSA-xqmj-j6mv-4862 LiteLLM: Server-Side Template Injection in /prompts/test endpoint”
“Aliases: CVE-2024-2952, GHSA-46cm-pfwv-cgf8 LiteLLM has Server-Side Template Injection vulnerability in /completions endpoint”
“Aliases: CVE-2026-49468, GHSA-4xpc-pv4p-pm3w LiteLLM: Authentication Bypass via Host Header Injection”
“Aliases: CVE-2024-5751, GHSA-gppg-gqw8-wh9g litellm vulnerable to remote code execution based on using eval unsafely”
“Aliases: CVE-2026-35030, GHSA-jjhc-v7c2-5hh6 LiteLLM: Authentication bypass via OIDC userinfo cache key collision”
“Aliases: CVE-2026-42208, GHSA-r75f-5x8p-qvmc LiteLLM has SQL Injection in Proxy API key verification”
Decision support, not stock advice. This signal is research with cited evidence — not a recommendation to buy, sell, or hold any security.