LiteLLM Authentication Bypass via Host Header Injection (CVE-2026-49468)

Critical bug exposes LiteLLM management routes

A newly disclosed LiteLLM authentication bypass could let unauthenticated attackers reach protected management routes on the popular open-source AI gateway. Tracked as CVE-2026-49468 and rated critical (CVSS 9.5), the flaw stems from how the proxy parses the HTTP Host header.

LiteLLM gives teams a single, unified interface to call more than 100 LLM providers. As a result, its proxy often sits as a central chokepoint for API keys and provider secrets. That position makes any weakness on its management surface worth attention.

How the Host Header Injection works

The root cause sits in get_request_route() inside litellm/proxy/auth/auth_utils.py. The auth layer derived the effective route from request.url.path, which Starlette reconstructs from the Host header. Therefore, a crafted Host could make the auth gate evaluate a different route than the one FastAPI actually dispatched.

In practice, that mismatch can slip a request past authentication. The issue maps to CWE-290, authentication bypass by spoofing.

Most deployments are not affected

Importantly, this LiteLLM authentication bypass does not hit every install. Any upstream layer that validates or normalizes the Host header blocks it. A CDN or WAF such as Cloudflare, a reverse proxy with server_name allowlists, or a host-based load balancer all neutralize the attack. LiteLLM Cloud customers are not affected either.

Researchers Le The Thang of KCSC and Kim Ngoc Chung of One Mount Group reported the flaw responsibly.

Patch and mitigation

The maintainers fixed the issue in LiteLLM release 1.84.0, and no configuration change is required. Admins should therefore upgrade promptly.

If patching must wait, place the proxy behind an upstream component that enforces strict Host validation. Alternatively, restrict network access to the proxy listener.