EUVD-2026-28502
GHSA-xqmj-j6mv-4862
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
5Blast Radius
ecosystem impact- 2 pypi packages depend on litellm (1 direct, 1 indirect)
Ecosystem-wide dependent count for version 1.80.5.
DescriptionNVD
LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. From version 1.80.5 to before version 1.83.7, the POST /prompts/test endpoint accepted user-supplied prompt templates and rendered them without sandboxing. A crafted template could run arbitrary code inside the LiteLLM Proxy process. The endpoint only checks that the caller presents a valid proxy API key, so any authenticated user could reach it. Depending on how the proxy is deployed, this could expose secrets in the process environment (such as provider API keys or database credentials) and allow commands to be run on the host. This issue has been patched in version 1.83.7.
AnalysisAI
Server-side template injection in LiteLLM Proxy versions 1.80.5 through 1.83.6 allows authenticated users to execute arbitrary code via the POST /prompts/test endpoint. Any user with a valid proxy API key can submit malicious prompt templates that escape sandboxing and run commands in the proxy server process, exposing environment secrets like provider API keys and database credentials. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Valid LiteLLM proxy API key for authentication (CVSS PR:L). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Real-world risk is high but not critical due to authentication requirement limiting attack surface. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An authenticated attacker with a valid LiteLLM proxy API key crafts a malicious prompt template containing server-side template injection payloads (e.g., Jinja2 syntax accessing Python object internals like {{''.__class__.__mro__[1].__subclasses__()}}). They submit this payload to POST /prompts/test, which the proxy renders without sandboxing. … |
| Remediation | Upgrade to LiteLLM version 1.83.7-stable or later, which implements sandboxed template rendering that blocks dangerous object attribute access (confirmed fix at https://github.com/BerriAI/litellm/releases/tag/v1.83.7-stable). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all LiteLLM Proxy instances and document their version numbers; audit and rotate all API keys with proxy access privileges. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More from same product – last 7 days
Remote code execution in Tautulli versions prior to 2.17.1 allows attackers to achieve unauthenticated RCE on fresh inst
Server-side template injection in Jupyter Enterprise Gateway versions 2.0.0rc2 through 3.2.x allows remote attackers to
Vendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today