Description
A security flaw has been discovered in BerriAI litellm up to 1.82.5. Affected is the function async_pre_call_hook of the file enterprise/enterprise_hooks/banned_keywords.py of the component Completions Interface. The manipulation of the argument prompt results in incorrect authorization. The attack may be performed from remote. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure.
Published: 2026-06-21
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw resides in the async_pre_call_hook function of the banned_keywords module inside the Completions Interface component of BerriAI litellm. By manipulating the prompt argument, an attacker can cause the authorization logic to evaluate incorrectly, potentially granting unauthorized access to the completion service. The description notes that the attack may be performed from remote, and a public exploit has already been released, indicating that the weakness is exploitable through standard network communication with the service. The incorrect authorization could allow an attacker to use the interface beyond intended permissions, affecting data confidentiality and integrity of the supplied content. Additionally, the same flaw can cause an attacker to exploit identity confusion issues identified by CWE-551, potentially leading to multiple users sharing the same authorization context or privileges.

Affected Systems

BerriAI:litellm up to and including version 1.82.5. The vulnerability affects all deployments using the enterprise/enterprise_hooks/banned_keywords.py module in these releases.

Risk and Exploitability

The CVSS score of 5.3 reflects a moderate severity for denial or partial privilege escalation. EPSS data is not available, and the vulnerability is not listed in the CISA KEV catalog, suggesting no confirmed widespread exploitation yet. However, the public release of the exploit and the ability to conduct the attack from remote imply that the risk is non‑negligible, especially for environments that rely on the litellm Completions Interface for production workloads.

Generated by OpenCVE AI on June 23, 2026 at 13:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade BerriAI litellm to a version newer than 1.82.5 once the vendor releases a fix.
  • If an immediate upgrade is not possible, disable or bypass the async_pre_call_hook in the banned_keywords module to remove the authorization pathway vulnerable to manipulation.
  • Audit and harden prompt handling by enforcing strict input validation or tokenization to prevent prompt‑based exploits.

Generated by OpenCVE AI on June 23, 2026 at 13:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 23 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-551
References
Metrics threat_severity

None

threat_severity

Low


Mon, 22 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Sun, 21 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
First Time appeared Berriai
Berriai litellm
Vendors & Products Berriai
Berriai litellm

Sun, 21 Jun 2026 15:00:00 +0000

Type Values Removed Values Added
Description A security flaw has been discovered in BerriAI litellm up to 1.82.5. Affected is the function async_pre_call_hook of the file enterprise/enterprise_hooks/banned_keywords.py of the component Completions Interface. The manipulation of the argument prompt results in incorrect authorization. The attack may be performed from remote. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure.
Title BerriAI litellm Completions banned_keywords.py async_pre_call_hook authorization
First Time appeared Litellm
Litellm litellm
Weaknesses CWE-285
CWE-863
CPEs cpe:2.3:a:litellm:litellm:*:*:*:*:*:*:*:*
Vendors & Products Litellm
Litellm litellm
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}


cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-06-22T13:35:44.784Z

Reserved: 2026-06-20T17:12:18.055Z

Link: CVE-2026-12797

cve-icon Vulnrichment

Updated: 2026-06-22T13:35:39.858Z

cve-icon NVD

No data.

cve-icon Redhat

Severity : Low

Publid Date: 2026-06-21T09:15:08Z

Links: CVE-2026-12797 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-23T14:00:04Z

Weaknesses
  • CWE-285

    Improper Authorization

  • CWE-551

    Incorrect Behavior Order: Authorization Before Parsing and Canonicalization

  • CWE-863

    Incorrect Authorization