CVE-2026-49468 PUBLISHED

LiteLLM: Authentication Bypass via Host Header Injection

Assigner: GitHub_M
Reserved: 30.05.2026 Published: 22.06.2026 Updated: 23.06.2026

LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. Prior to 1.84.0, This vulnerability is fixed in 1.84.0.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
CVSS Score: 9.5

Product Status

Vendor BerriAI
Product litellm
Versions
  • Version < 1.84.0 is affected

References

Problem Types

  • CWE-290: Authentication Bypass by Spoofing CWE