Description
LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. Prior to 1.84.0, a Host-header parsing flaw in the LiteLLM proxy could, under specific conditions, allow unauthenticated access to protected management routes. The auth layer derived the effective route from request.url.path in litellm/proxy/auth/auth_utils.py::get_request_route(), which Starlette reconstructs from the Host header. A crafted Host could therefore make the auth gate evaluate a different route from the one FastAPI dispatched. This vulnerability is fixed in 1.84.0.
Published: 2026-06-22
Score: 9.5 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. Prior to version 1.84.0, a Host-header parsing flaw in the LiteLLM proxy could, under specific conditions, allow unauthenticated access to protected management routes. The authentication layer derives the effective route from request.url.path in litellm/proxy/auth/auth_utils.py::get_request_route(), which Starlette reconstructs from the Host header. By injecting a crafted Host header, an attacker can cause the authentication gate to evaluate a different route than the one FastAPI dispatched, thereby bypassing the authentication check and gaining unauthorized access to protected routes. This vulnerability was a CWE-290 authentication bypass flaw and was fixed in version 1.84.0.

Affected Systems

The vulnerability affects the BerriAI:litellm product. Any deployment of LiteLLM prior to version 1.84.0 is susceptible; version 1.84.0 and later contain the fix.

Risk and Exploitability

The CVSS score is 9.5, indicating critical severity. The EPSS score is <1%, suggesting a very low but non‑zero probability of exploitation. The vulnerability is not listed in CISA’s KEV catalog, indicating no known active exploitation at present. The likely attack vector is a network‑based Host header injection performed over HTTP, indicating that systems exposed to external networks could be compromised if the host header is not properly validated.

Generated by OpenCVE AI on July 14, 2026 at 01:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade LiteLLM to version 1.84.0 or later to apply the vendor supplied fix.
  • Configure your deployment to validate the Host header against an allow‑list of trusted domains to prevent injection of arbitrary host values.
  • Limit access to the LiteLLM proxy to trusted internal networks or enforce strict firewall rules, ensuring only authenticated users or systems can send requests through the proxy.

Generated by OpenCVE AI on July 14, 2026 at 01:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-4xpc-pv4p-pm3w LiteLLM: Authentication Bypass via Host Header Injection
History

Wed, 08 Jul 2026 19:45:00 +0000

Type Values Removed Values Added
Description LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. Prior to 1.84.0, This vulnerability is fixed in 1.84.0. LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. Prior to 1.84.0, a Host-header parsing flaw in the LiteLLM proxy could, under specific conditions, allow unauthenticated access to protected management routes. The auth layer derived the effective route from request.url.path in litellm/proxy/auth/auth_utils.py::get_request_route(), which Starlette reconstructs from the Host header. A crafted Host could therefore make the auth gate evaluate a different route from the one FastAPI dispatched. This vulnerability is fixed in 1.84.0.

Wed, 24 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

cvssV3_1

{'score': 10.0, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H'}

threat_severity

Critical


Tue, 23 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Tue, 23 Jun 2026 00:30:00 +0000

Type Values Removed Values Added
First Time appeared Berriai
Berriai litellm
Vendors & Products Berriai
Berriai litellm

Mon, 22 Jun 2026 21:00:00 +0000

Type Values Removed Values Added
Description LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. Prior to 1.84.0, This vulnerability is fixed in 1.84.0.
Title LiteLLM: Authentication Bypass via Host Header Injection
Weaknesses CWE-290
References
Metrics cvssV4_0

{'score': 9.5, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-07-08T19:32:42.245Z

Reserved: 2026-05-30T04:17:43.094Z

Link: CVE-2026-49468

cve-icon Vulnrichment

Updated: 2026-06-30T12:09:55.893Z

cve-icon NVD

No data.

cve-icon Redhat

Severity : Critical

Publid Date: 2026-06-22T20:37:14Z

Links: CVE-2026-49468 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-07-14T01:45:03Z

Weaknesses
  • CWE-290

    Authentication Bypass by Spoofing