LiteLLM Under Fire: Triple Threat Vulnerabilities Expose AI Gateways to Total Takeover
Ddos 
LiteLLM, the popular open-source library used to provide a unified interface for over 100 Large Language Models (LLMs) like OpenAI and Anthropic, has been hit with a series of critical security disclosures. In a series of advisories, researchers have detailed three distinct flaws that, if combined, could allow attackers to bypass authentication, steal credentials, and even execute arbitrary code.
The most severe of these vulnerabilities carries a CVSS score of 9.4, signaling a “patch now” emergency for organizations relying on the tool to manage their AI infrastructure.
The highest-rated vulnerability, tracked as CVE-2026-35030, involves a critical collision in how LiteLLM handles OpenID Connect (OIDC) authentication. When JWT authentication is enabled, the system uses a cache to speed up user information lookups. However, instead of using the full token, the system only uses the first 20 characters as the cache key.
JWT headers created with the same signing algorithm often produce identical first 20 characters. An unauthenticated attacker can craft a token that matches a legitimate user’s cached 20-character prefix.
Upon a cache hit, the attacker is granted the identity and permissions of that legitimate user.While this configuration is not enabled by default, it poses a catastrophic risk to deployments utilizing JWT/OIDC authentication.
Even if OIDC isn’t in use, LiteLLM’s internal user management faced a pass-the-hash authentication bypass issue that leads to full privilege escalation in just three HTTP requests.
Passwords were stored using unsalted SHA-256 hashes, making them easy targets for rainbow table attacks. Multiple API endpoints—including /user/info and /spend/users—leaked these password hashes to any authenticated user, regardless of their role.
The /v2/login endpoint was found to accept the raw SHA-256 hash as a valid password without re-hashing it.This allowed an already authenticated user to simply “scrape” another user’s hash from an API response and use it to log in directly as that user—a classic pass-the-hash attack.
Finally, researchers identified a critical privilege escalation flaw in the /config/update endpoint (CVE-2026-35029, CVSS 8.7). This endpoint, which controls the core proxy settings, failed to enforce administrator-only access.
Any authenticated user could exploit this oversight to:
- Register custom handlers pointing to attacker-controlled Python code to achieve Remote Code Execution (RCE).
- Read arbitrary files on the server by manipulating the UI_LOGO_PATH variable.
- Overwrite environment variables like UI_USERNAME and UI_PASSWORD to seize control of privileged accounts.
The LiteLLM maintainers have moved swiftly to address these gaps. Users are urged to upgrade to v1.83.0 immediately to implement the following fixes:
- OIDC Fix: The cache key now utilizes a full hash of the JWT token rather than a 20-character slice.
- Password Overhaul: Passwords are now hashed using the robust scrypt algorithm with random salts. Furthermore, hashes are now stripped from all API responses.
- Config Lockdown: The /config/update endpoint now strictly requires the proxy_admin role.
If you cannot update immediately, security teams recommend disabling OIDC userinfo caching and strictly limiting the distribution of API keys.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
