Skip to main content

CVE-2026-35030

CRITICAL
Improper Authentication (CWE-287)
2026-04-03 https://github.com/BerriAI/litellm GHSA-jjhc-v7c2-5hh6
9.4
CVSS 4.0 · Vendor: https://github.com/BerriAI/litellm
Share

Severity by source

Vendor (https://github.com/BerriAI/litellm) PRIMARY
9.4 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Red Hat
9.1 HIGH
qualitative

Primary rating from Vendor (https://github.com/BerriAI/litellm).

CVSS VectorVendor: https://github.com/BerriAI/litellm

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
Patch released
Apr 04, 2026 - 02:30 nvd
Patch available
Analysis Generated
Apr 03, 2026 - 22:15 vuln.today
CVE Published
Apr 03, 2026 - 21:59 nvd
CRITICAL 9.4

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 91 pypi packages depend on litellm (75 direct, 16 indirect)

Ecosystem-wide dependent count for version 1.83.0.

DescriptionCVE.org

Impact

When JWT authentication is enabled (enable_jwt_auth: true), the OIDC userinfo cache uses token[:20] as the cache key. JWT headers produced by the same signing algorithm generate identical first 20 characters.

This configuration option is not enabled by default. Most instances are not affected.

An unauthenticated attacker can craft a token whose first 20 characters match a legitimate user's cached token. On cache hit, the attacker inherits the legitimate user's identity and permissions. This affects deployments with JWT/OIDC authentication enabled.

Patches

Fixed in v1.83.0. The cache key now uses the full hash of the JWT token.

Workarounds

Disable OIDC userinfo caching by setting the cache TTL to 0, or disable JWT authentication entirely.

AnalysisAI

Authentication bypass in LiteLLM's JWT/OIDC implementation allows unauthenticated attackers to impersonate legitimate users via cache key collision. When JWT authentication is enabled (non-default configuration), the userinfo cache uses only the first 20 characters of the token as a key. Because JWT headers from the same signing algorithm produce identical prefixes, attackers can forge tokens that collide with cached legitimate sessions, inheriting victim identities and permissions. Fixed in v1.83.0. No public exploit identified at time of analysis, but the vulnerability is straightforward to exploit in affected configurations.

Technical ContextAI

LiteLLM is a Python package (pkg:pip/litellm) that provides a unified interface for multiple LLM providers. The vulnerability stems from a flawed cache key design in the OIDC userinfo cache implementation. When enable_jwt_auth is set to true, the system caches user information from decoded JWT tokens. The cache key derivation uses token[:20], extracting only the first 20 characters of the JWT token string. JWT structure includes a header that indicates the signing algorithm (e.g., 'eyJhbGciOiJIUzI1NiIs' for HS256), which remains constant across tokens signed with the same algorithm. This predictable prefix creates a collision vulnerability classified as CWE-287 (Improper Authentication). The fix in v1.83.0 replaces the substring-based key with a full cryptographic hash of the token, ensuring unique cache keys per token.

RemediationAI

Vendor-released patch: LiteLLM v1.83.0. Organizations should immediately upgrade to v1.83.0 or later using pip install --upgrade litellm>=1.83.0. For environments unable to upgrade immediately, two workarounds are available: disable OIDC userinfo caching by setting the cache TTL to 0, or disable JWT authentication entirely by setting enable_jwt_auth: false. After applying fixes, review authentication logs for suspicious access patterns that may indicate exploitation, particularly looking for multiple users sharing identical session characteristics or unexpected privilege escalations. Official security advisory and patch details are available at https://github.com/BerriAI/litellm/security/advisories/GHSA-jjhc-v7c2-5hh6.

Vendor StatusVendor

Share

CVE-2026-35030 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy