Skip to main content

LiteLLM EUVDEUVD-2026-38156

| CVE-2026-12797 LOW
Incorrect Authorization (CWE-863)
2026-06-21 VulDB GHSA-p897-vf7j-f5h8
2.1
CVSS 4.0 · Vendor: VulDB

Severity by source

Vendor (VulDB) PRIMARY
2.1 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
5.4 MEDIUM

Low-privileged network authentication required; scope unchanged; no availability impact from a content-filter bypass; confidentiality and integrity limited by the hook's position in the request pipeline.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (VulDB).

CVSS VectorVendor: VulDB

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

3
Analysis Generated
Jun 22, 2026 - 06:33 vuln.today
Severity Changed
Jun 21, 2026 - 10:22 NVD
MEDIUM LOW
CVSS changed
Jun 21, 2026 - 10:22 NVD
5.3 (MEDIUM) 2.1 (LOW)

DescriptionCVE.org

A security flaw has been discovered in BerriAI litellm up to 1.82.5. Affected is the function async_pre_call_hook of the file enterprise/enterprise_hooks/banned_keywords.py of the component Completions Interface. The manipulation of the argument prompt results in incorrect authorization. The attack may be performed from remote. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure.

AnalysisAI

Incorrect authorization in BerriAI LiteLLM's enterprise banned keywords hook allows remote low-privileged authenticated users to bypass prompt content filtering by manipulating the prompt argument to the async_pre_call_hook function in enterprise/enterprise_hooks/banned_keywords.py. All versions in the 1.82.x series up to and including 1.82.5 are confirmed affected. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Obtain low-privileged LiteLLM API credentials
Delivery
Identify banned keyword in enterprise policy
Exploit
Craft prompt with bypass manipulation (encoding/whitespace/structure)
Install
Submit crafted request to Completions Interface
C2
async_pre_call_hook incorrectly authorizes request
Execute
Banned prompt forwarded to upstream LLM provider
Impact
Policy-violating completion returned to attacker

Vulnerability AssessmentAI

Exploitation Exploitation requires a valid low-privileged authenticated account on the LiteLLM enterprise API, consistent with the PR:L metric in the provided CVSS 4.0 vector. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 score of 2.1 with vector AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L and supplemental metric E:P reflects a low-to-moderate base risk: network-reachable, low complexity, but requiring authenticated (low-privileged) access, with limited CIA impacts. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An authenticated low-privileged API user targeting an enterprise LiteLLM 1.82.x deployment submits a Completions API request with a crafted `prompt` argument - for example, using encoding variations, whitespace injection, or structural manipulation - that causes `async_pre_call_hook` to incorrectly authorize the request despite its content matching a configured banned keyword. The hook passes the request upstream to the LLM provider, which returns a completion based on content that the enterprise policy was explicitly configured to block. …
Remediation No vendor-released patched version has been independently confirmed at time of analysis - the VulDB submission (https://vuldb.com/submit/811288) notes early vendor contact but no fix version appears in any available reference. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-42208 CRITICAL POC
9.3 May 08

SQL injection in LiteLLM proxy server versions 1.81.16 through 1.83.6 allows unauthenticated remote attackers to read an

CVE-2026-42271 HIGH POC
8.7 May 08

Remote command execution in LiteLLM proxy server versions 1.74.2 through 1.83.6 allows any authenticated user to execute

CVE-2024-2952 CRITICAL POC
9.8 Apr 10

BerriAI/litellm is vulnerable to Server-Side Template Injection (SSTI) via the `/completions` endpoint. Rated critical s

CVE-2026-40217 HIGH POC
8.8 Apr 10

Remote code execution in BerriAI LiteLLM (all versions through 2026-04-08) enables authenticated attackers to execute ar

CVE-2024-4888 HIGH POC
8.1 Jun 06

BerriAI's litellm, in its latest version, is vulnerable to arbitrary file deletion due to improper input validation on t

CVE-2025-0330 HIGH POC
7.5 Mar 20

In berriai/litellm version v1.52.1, an issue in proxy_server.py causes the leakage of Langfuse API keys when an error oc

CVE-2024-9606 HIGH POC
7.5 Mar 20

In berriai/litellm before version 1.44.12, the `litellm/litellm_core_utils/litellm_logging.py` file contains a vulnerabi

CVE-2024-6587 HIGH POC
7.5 Sep 13

A Server-Side Request Forgery (SSRF) vulnerability exists in berriai/litellm version 1.38.10. Rated high severity (CVSS

CVE-2024-5225 HIGH POC
7.2 Jun 06

An SQL Injection vulnerability exists in the berriai/litellm repository, specifically within the `/global/spend/logs` en

CVE-2024-4889 HIGH POC
7.2 Jun 06

A code injection vulnerability exists in the berriai/litellm application, version 1.34.6, due to the use of unvalidated

CVE-2024-5710 MEDIUM POC
6.5 Jun 27

berriai/litellm version 1.34.34 is vulnerable to improper access control in its team management functionality. Rated med

CVE-2024-5751 CRITICAL
9.8 Jun 27

BerriAI/litellm version v1.35.8 contains a vulnerability where an attacker can achieve remote code execution. Rated crit

Share

EUVD-2026-38156 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy