{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-49468", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-05-30T04:17:43.094Z", "datePublished": "2026-06-22T20:37:14.494Z", "dateUpdated": "2026-06-24T03:56:03.985Z"}, "containers": {"cna": {"title": "LiteLLM: Authentication Bypass via Host Header Injection", "problemTypes": [{"descriptions": [{"cweId": "CWE-290", "lang": "en", "description": "CWE-290: Authentication Bypass by Spoofing", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "subAvailabilityImpact": "HIGH", "baseScore": 9.5, "baseSeverity": "CRITICAL", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H", "version": "4.0"}}], "references": [{"name": "https://github.com/BerriAI/litellm/security/advisories/GHSA-4xpc-pv4p-pm3w", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/BerriAI/litellm/security/advisories/GHSA-4xpc-pv4p-pm3w"}, {"name": "https://github.com/BerriAI/litellm/releases/tag/v1.84.0", "tags": ["x_refsource_MISC"], "url": "https://github.com/BerriAI/litellm/releases/tag/v1.84.0"}], "affected": [{"vendor": "BerriAI", "product": "litellm", "versions": [{"version": "< 1.84.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-06-22T20:37:14.494Z"}, "descriptions": [{"lang": "en", "value": "LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. Prior to 1.84.0, This vulnerability is fixed in 1.84.0."}], "source": {"advisory": "GHSA-4xpc-pv4p-pm3w", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-06-23T00:00:00+00:00", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3", "id": "CVE-2026-49468"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-24T03:56:03.985Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-49468", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-06-23T14:56:40.712149Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-23T14:57:32.980Z"}}], "cna": {"title": "LiteLLM: Authentication Bypass via Host Header Injection", "source": {"advisory": "GHSA-4xpc-pv4p-pm3w", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 9.5, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "subIntegrityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH"}}], "affected": [{"vendor": "BerriAI", "product": "litellm", "versions": [{"status": "affected", "version": "< 1.84.0"}]}], "references": [{"url": "https://github.com/BerriAI/litellm/security/advisories/GHSA-4xpc-pv4p-pm3w", "name": "https://github.com/BerriAI/litellm/security/advisories/GHSA-4xpc-pv4p-pm3w", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/BerriAI/litellm/releases/tag/v1.84.0", "name": "https://github.com/BerriAI/litellm/releases/tag/v1.84.0", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. Prior to 1.84.0, This vulnerability is fixed in 1.84.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-290", "description": "CWE-290: Authentication Bypass by Spoofing"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-06-22T20:37:14.494Z"}}}, "cveMetadata": {"cveId": "CVE-2026-49468", "state": "PUBLISHED", "dateUpdated": "2026-06-24T03:56:03.985Z", "dateReserved": "2026-05-30T04:17:43.094Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-06-22T20:37:14.494Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{}

{"bugzilla": {"description": "litellm: LiteLLM: Authentication Bypass via Host Header Injection", "id": "2491520", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2491520"}, "csaw": false, "cvss3": {"cvss3_base_score": "10.0", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-290", "details": ["LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. Prior to 1.84.0, This vulnerability is fixed in 1.84.0.", "A flaw was found in LiteLLM, a proxy server (AI Gateway) used to call Large Language Model (LLM) APIs. A remote attacker could exploit a Host-header parsing vulnerability in the proxy authentication layer. By sending a crafted Host header, an attacker could gain unauthenticated access to protected management routes, potentially leading to full system compromise."], "mitigation": {"lang": "en:us", "value": "To mitigate the risk of unauthenticated access, restrict network access to the LiteLLM proxy's management routes. Configure network firewalls or security groups to permit inbound connections only from trusted internal networks. This operational control limits the exposure of vulnerable endpoints to unauthorized external access. If the LiteLLM proxy is deployed behind a load balancer or API gateway, ensure these components are configured to strictly validate and sanitize the HTTP Host header before forwarding requests."}, "name": "CVE-2026-49468", "package_state": [{"cpe": "cpe:/a:redhat:exploit_intelligence:0", "fix_state": "Affected", "package_name": "exploit-intelligence-tech-preview/vulnerability-analysis-rhel9", "product_name": "Exploit Intelligence"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Affected", "package_name": "ansible-automation-platform-26/lightspeed-chatbot-rhel9", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Affected", "package_name": "ansible-automation-platform-27/lightspeed-chatbot-rhel9", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Affected", "package_name": "rhoai/odh-llama-stack-core-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Affected", "package_name": "rhoai/odh-mlflow-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Affected", "package_name": "rhoai/odh-trustyai-garak-lls-provider-dsp-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}], "public_date": "2026-06-22T20:37:14Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-49468\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-49468\nhttps://github.com/BerriAI/litellm/releases/tag/v1.84.0\nhttps://github.com/BerriAI/litellm/security/advisories/GHSA-4xpc-pv4p-pm3w"], "statement": "Critical: This Host-header parsing flaw in LiteLLM's proxy authentication layer allows unauthenticated remote access to protected management routes. Red Hat products leveraging LiteLLM, such as Red Hat OpenShift AI and Red Hat Ansible Automation Platform, are exposed to this vulnerability, potentially leading to unauthorized control over their management interfaces. The issue stems from the authentication gate evaluating a different route than the one dispatched due to a crafted Host header.", "threat_severity": "Critical"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.84.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "litellm", "source": "cna", "vendor": "BerriAI"}, "product": "litellm", "vendor": "berriai"}], "created": "2026-06-22T23:00:11.395894+00:00", "updated": "2026-06-23T00:15:03.601125+00:00", "vendors": ["berriai", "berriai$PRODUCT$litellm"]}