Description
LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. Prior to 1.83.0, when JWT authentication is enabled (enable_jwt_auth: true), the OIDC userinfo cache uses token[:20] as the cache key. JWT headers produced by the same signing algorithm generate identical first 20 characters. This configuration option is not enabled by default. Most instances are not affected. An unauthenticated attacker can craft a token whose first 20 characters match a legitimate user's cached token. On cache hit, the attacker inherits the legitimate user's identity and permissions. This affects deployments with JWT/OIDC authentication enabled. Fixed in v1.83.0.
Published: 2026-04-06
Score: 9.4 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Authentication Bypass
Action: Patch Immediately
AI Analysis

Impact

LiteLLM, an AI gateway, uses JWT authentication when enable_jwt_auth is set to true. Prior to version 1.83.0, the OIDC userinfo cache key is derived from the first 20 characters of the token. Because JWT headers generated by the same signing algorithm produce identical prefixes, an attacker can create a token whose prefix matches a legitimate cached token. When the cache is consulted, the attacker receives the legitimate user's identity and permissions, effectively bypassing authentication. This flaw allows an unauthenticated user to act as any authenticated user, gaining unauthorized access to protected resources.

Affected Systems

Affected deployments include BerriAI's LiteLLM environments running versions prior to 1.83.0 with JWT/OIDC authentication enabled. Systems that have not enabled enable_jwt_auth or are already running 1.83.0 or later are not impacted.

Risk and Exploitability

The vulnerability carries a CVSS score of 9.4, indicating critical severity. Its EPSS score is less than 1%, suggesting a low probability of exploitation in the wild, and it is not listed in the CISA KEV catalog. Nevertheless, the attack scenario is straightforward: an attacker must supply a crafted JWT token that matches the cache key of an existing authenticated user. If the system is operating with JWT enabled, the attacker can trigger a cache hit and inherit that user's permissions with minimal effort, making the risk high for any exposed instance.

Generated by OpenCVE AI on April 8, 2026 at 01:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade LiteLLM to version 1.83.0 or later, which resolves the cache key collision issue.
  • Disable JWT/OIDC authentication (set enable_jwt_auth to false) if it is not required for your deployment.
  • Limit network exposure of the LiteLLM endpoint to trusted users or internal networks only.

Generated by OpenCVE AI on April 8, 2026 at 01:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-jjhc-v7c2-5hh6 LiteLLM: Authentication bypass via OIDC userinfo cache key collision
History

Wed, 08 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-222
References
Metrics threat_severity

None

 threat_severity

Important

Tue, 07 Apr 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Litellm
Litellm litellm
CPEs cpe:2.3:a:litellm:litellm:*:*:*:*:*:*:*:*
Vendors & Products Litellm
Litellm litellm

Tue, 07 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 07 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
First Time appeared Berriai
Berriai litellm
Vendors & Products Berriai
Berriai litellm

Mon, 06 Apr 2026 18:00:00 +0000

Type Values Removed Values Added
Description LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. Prior to 1.83.0, when JWT authentication is enabled (enable_jwt_auth: true), the OIDC userinfo cache uses token[:20] as the cache key. JWT headers produced by the same signing algorithm generate identical first 20 characters. This configuration option is not enabled by default. Most instances are not affected. An unauthenticated attacker can craft a token whose first 20 characters match a legitimate user's cached token. On cache hit, the attacker inherits the legitimate user's identity and permissions. This affects deployments with JWT/OIDC authentication enabled. Fixed in v1.83.0.
Title LiteLLM has an authentication bypass via OIDC userinfo cache key collision
Weaknesses CWE-287
References
Metrics cvssV4_0

{'score': 9.4, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N'}

Subscriptions

Berriai Litellm
Litellm Litellm
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-07T14:24:34.782Z

Reserved: 2026-03-31T21:06:06.427Z

Link: CVE-2026-35030

cve-icon Vulnrichment

Updated: 2026-04-07T14:24:28.779Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-06T17:17:12.650

Modified: 2026-04-07T20:20:56.653

Link: CVE-2026-35030

cve-icon Redhat

Severity : Important

Publid Date: 2026-04-06T16:47:02Z

Links: CVE-2026-35030 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T19:50:39Z

Weaknesses