Description
LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. From version 1.80.5 to before version 1.83.7, the POST /prompts/test endpoint accepted user-supplied prompt templates and rendered them without sandboxing. A crafted template could run arbitrary code inside the LiteLLM Proxy process. The endpoint only checks that the caller presents a valid proxy API key, so any authenticated user could reach it. Depending on how the proxy is deployed, this could expose secrets in the process environment (such as provider API keys or database credentials) and allow commands to be run on the host. This issue has been patched in version 1.83.7.
Published: 2026-05-08
Score: 8.6 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

LiteLLM, an AI gateway proxy, allowed authenticated users to submit prompt templates to the POST /prompts/test endpoint, which rendered those templates without any sandbox or validation. Because the rendering engine executed the template as part of the LiteLLM process, a malicious template could trigger arbitrary code execution within that process, granting the attacker full control of the server running LiteLLM. The flaw is identified as CWE‑1336 and poses a severe confidentiality, integrity, and availability risk, as the process may contain sensitive environment variables such as LLM provider keys or database credentials.

Affected Systems

The vulnerability affects BerriAI's LiteLLM product versions from 1.80.5 up to, but not including, 1.83.7. Any deployment of LiteLLM within this range that exposes the /prompts/test endpoint to authenticated users is impacted.

Risk and Exploitability

The CVSS base score of 8.6 indicates a high severity. EPSS is not available, so exploitation likelihood is uncertain, yet the flaw is not listed in CISA KEV. Because the endpoint accepts any user with a valid proxy API key, the attack vector is straightforward for authenticated users. If the LiteLLM deployment is exposed to potential attackers, the risk of arbitrary code execution and secret leakage is considerable.

Generated by OpenCVE AI on May 8, 2026 at 05:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade LiteLLM to version 1.83.7 or later, which sanitizes template rendering and removes the vulnerability.
  • Revoke or regenerate existing API keys that have unrestricted access to the /prompts/test endpoint so that only trusted services can call it.
  • Apply firewall or network segmentation rules to restrict access to the /prompts/test endpoint to a narrow set of internal IPs or services.

Generated by OpenCVE AI on May 8, 2026 at 05:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-xqmj-j6mv-4862 LiteLLM: Server-Side Template Injection in /prompts/test endpoint
History

Fri, 08 May 2026 05:45:00 +0000

Type Values Removed Values Added
First Time appeared Berriai
Berriai litellm
Vendors & Products Berriai
Berriai litellm

Fri, 08 May 2026 04:00:00 +0000

Type Values Removed Values Added
Description LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. From version 1.80.5 to before version 1.83.7, the POST /prompts/test endpoint accepted user-supplied prompt templates and rendered them without sandboxing. A crafted template could run arbitrary code inside the LiteLLM Proxy process. The endpoint only checks that the caller presents a valid proxy API key, so any authenticated user could reach it. Depending on how the proxy is deployed, this could expose secrets in the process environment (such as provider API keys or database credentials) and allow commands to be run on the host. This issue has been patched in version 1.83.7.
Title LiteLLM: Server-Side Template Injection in /prompts/test endpoint
Weaknesses CWE-1336
References
Metrics cvssV4_0

{'score': 8.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Berriai Litellm
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-08T03:36:58.648Z

Reserved: 2026-04-25T05:04:37.027Z

Link: CVE-2026-42203

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-08T04:16:19.450

Modified: 2026-05-08T04:16:19.450

Link: CVE-2026-42203

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-08T05:30:46Z

Weaknesses