CVE-2026-35030
CRITICALSeverity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from Vendor (https://github.com/BerriAI/litellm).
CVSS VectorVendor: https://github.com/BerriAI/litellm
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3Blast Radius
ecosystem impact- 91 pypi packages depend on litellm (75 direct, 16 indirect)
Ecosystem-wide dependent count for version 1.83.0.
DescriptionCVE.org
Impact
When JWT authentication is enabled (enable_jwt_auth: true), the OIDC userinfo cache uses token[:20] as the cache key. JWT headers produced by the same signing algorithm generate identical first 20 characters.
This configuration option is not enabled by default. Most instances are not affected.
An unauthenticated attacker can craft a token whose first 20 characters match a legitimate user's cached token. On cache hit, the attacker inherits the legitimate user's identity and permissions. This affects deployments with JWT/OIDC authentication enabled.
Patches
Fixed in v1.83.0. The cache key now uses the full hash of the JWT token.
Workarounds
Disable OIDC userinfo caching by setting the cache TTL to 0, or disable JWT authentication entirely.
AnalysisAI
Authentication bypass in LiteLLM's JWT/OIDC implementation allows unauthenticated attackers to impersonate legitimate users via cache key collision. When JWT authentication is enabled (non-default configuration), the userinfo cache uses only the first 20 characters of the token as a key. Because JWT headers from the same signing algorithm produce identical prefixes, attackers can forge tokens that collide with cached legitimate sessions, inheriting victim identities and permissions. Fixed in v1.83.0. No public exploit identified at time of analysis, but the vulnerability is straightforward to exploit in affected configurations.
Technical ContextAI
LiteLLM is a Python package (pkg:pip/litellm) that provides a unified interface for multiple LLM providers. The vulnerability stems from a flawed cache key design in the OIDC userinfo cache implementation. When enable_jwt_auth is set to true, the system caches user information from decoded JWT tokens. The cache key derivation uses token[:20], extracting only the first 20 characters of the JWT token string. JWT structure includes a header that indicates the signing algorithm (e.g., 'eyJhbGciOiJIUzI1NiIs' for HS256), which remains constant across tokens signed with the same algorithm. This predictable prefix creates a collision vulnerability classified as CWE-287 (Improper Authentication). The fix in v1.83.0 replaces the substring-based key with a full cryptographic hash of the token, ensuring unique cache keys per token.
RemediationAI
Vendor-released patch: LiteLLM v1.83.0. Organizations should immediately upgrade to v1.83.0 or later using pip install --upgrade litellm>=1.83.0. For environments unable to upgrade immediately, two workarounds are available: disable OIDC userinfo caching by setting the cache TTL to 0, or disable JWT authentication entirely by setting enable_jwt_auth: false. After applying fixes, review authentication logs for suspicious access patterns that may indicate exploitation, particularly looking for multiple users sharing identical session characteristics or unexpected privilege escalations. Official security advisory and patch details are available at https://github.com/BerriAI/litellm/security/advisories/GHSA-jjhc-v7c2-5hh6.
Same weakness CWE-287 – Improper Authentication
View allSame technique Authentication Bypass
View allVendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today
GHSA-jjhc-v7c2-5hh6