Skip to main content

LiteLLM CVE-2026-59819

| EUVDEUVD-2026-42361 LOW
External Control of File Name or Path (CWE-73)
2026-07-08 GitHub_M
2.1
CVSS 4.0 · Vendor: GitHub_M

Severity by source

Vendor (GitHub_M) PRIMARY
2.1 LOW
CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
2.7 LOW

Network-reachable endpoint but requires high privileges (proxy admin); confidentiality impact is low as only partial file read applies with no integrity or availability consequence.

3.1 AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N
4.0 AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
X

Lifecycle Timeline

2
Patch available
Jul 08, 2026 - 21:04 EUVD
Analysis Generated
Jul 08, 2026 - 20:49 vuln.today

DescriptionCVE.org

LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. Prior to 1.83.10-stable, LiteLLM's /health/test_connection endpoint resolved request-supplied environment and OIDC file references in litellm_params, allowing a proxy administrator or another privileged caller with permission to test model connections to read files from the local filesystem via an oidc/file/ reference. This issue is fixed in version 1.83.10-stable.

AnalysisAI

Local filesystem read in LiteLLM's AI Gateway proxy prior to version 1.83.10-stable allows a proxy administrator to exfiltrate files from the server by supplying crafted oidc/file/ path references through the /health/test_connection endpoint. The vulnerability stems from unsanitized resolution of request-supplied environment and OIDC file references within litellm_params, giving a high-privileged caller a direct path to arbitrary file read. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain proxy admin credentials
Delivery
Authenticate to LiteLLM management API
Exploit
Craft litellm_params with oidc/file/ path reference
Execution
POST to /health/test_connection endpoint
Persist
Server resolves path and reads local file
Impact
Exfiltrate returned file contents

Vulnerability AssessmentAI

Exploitation Exploitation requires the attacker to hold a proxy administrator role or equivalent privileged caller permission that grants access to the /health/test_connection endpoint - this is explicitly stated in the vulnerability description as the required privilege level. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Real-world risk is low, well-aligned with the CVSS 4.0 score of 2.1. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An authenticated proxy administrator logs into the LiteLLM management interface and invokes /health/test_connection with a crafted litellm_params payload containing an oidc/file//etc/passwd or oidc/file//path/to/api_keys reference. The server resolves the path against the local filesystem and returns the file contents within the connection test response, allowing the attacker to harvest credentials or sensitive configuration files stored on the proxy host. …
Remediation Upgrade to LiteLLM version 1.83.10-stable or later, which contains the fix as described in GitHub Security Advisory GHSA-4g5m-c9r5-49xf and merged via pull request https://github.com/BerriAI/litellm/pull/25592; the release is available at https://github.com/BerriAI/litellm/releases/tag/v1.83.10-stable. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-42208 CRITICAL POC
9.3 May 08

SQL injection in LiteLLM proxy server versions 1.81.16 through 1.83.6 allows unauthenticated remote attackers to read an

CVE-2026-42271 HIGH POC
8.7 May 08

Remote command execution in LiteLLM proxy server versions 1.74.2 through 1.83.6 allows any authenticated user to execute

CVE-2024-2952 CRITICAL POC
9.8 Apr 10

BerriAI/litellm is vulnerable to Server-Side Template Injection (SSTI) via the `/completions` endpoint. Rated critical s

CVE-2026-40217 HIGH POC
8.8 Apr 10

Remote code execution in BerriAI LiteLLM (all versions through 2026-04-08) enables authenticated attackers to execute ar

CVE-2024-4888 HIGH POC
8.1 Jun 06

BerriAI's litellm, in its latest version, is vulnerable to arbitrary file deletion due to improper input validation on t

CVE-2025-0330 HIGH POC
7.5 Mar 20

In berriai/litellm version v1.52.1, an issue in proxy_server.py causes the leakage of Langfuse API keys when an error oc

CVE-2024-9606 HIGH POC
7.5 Mar 20

In berriai/litellm before version 1.44.12, the `litellm/litellm_core_utils/litellm_logging.py` file contains a vulnerabi

CVE-2024-6587 HIGH POC
7.5 Sep 13

A Server-Side Request Forgery (SSRF) vulnerability exists in berriai/litellm version 1.38.10. Rated high severity (CVSS

CVE-2024-5225 HIGH POC
7.2 Jun 06

An SQL Injection vulnerability exists in the berriai/litellm repository, specifically within the `/global/spend/logs` en

CVE-2024-4889 HIGH POC
7.2 Jun 06

A code injection vulnerability exists in the berriai/litellm application, version 1.34.6, due to the use of unvalidated

CVE-2024-5710 MEDIUM POC
6.5 Jun 27

berriai/litellm version 1.34.34 is vulnerable to improper access control in its team management functionality. Rated med

CVE-2024-5751 CRITICAL
9.8 Jun 27

BerriAI/litellm version v1.35.8 contains a vulnerability where an attacker can achieve remote code execution. Rated crit

Share

CVE-2026-59819 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy