CVE-2026-42203

LiteLLM: Server-Side Template Injection in /prompts/test endpoint

CVSS 8.6 HIGHEPSS 0.3%CWE-1336

Vexday Risk Score

41Atención

Decisión SSVC (CISA)

Attend

PoC disponible → seguir de cerca

CVSS 8.6EPSS 0.3%KEV nãoPoC públicaNuclei —Metasploit —Patch —

Ciclo de vida

08 may 2026Publicada en NVD

15 may 2026PoC pública

Recomendación: Planificar corrección próxima — ya existe PoC pública.

LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. From version 1.80.5 to before version 1.83.7, the POST /prompts/test endpoint accepted user-supplied prompt templates and rendered them without sandboxing. A crafted template could run arbitrary code inside the LiteLLM Proxy process. The endpoint only checks that the caller presents a valid proxy API key, so any authenticated user could reach it. Depending on how the proxy is deployed, this could expose secrets in the process environment (such as provider API keys or database credentials) and allow commands to be run on the host. This issue has been patched in version 1.83.7.

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Productos afectados

BerriAI · litellm

PoCs públicas encontradas — 1

githubgithub.com/Astianjy/CVE-2026-42203★ 0

⚠ Recursos públicos, para evaluar la exposición de sistemas que controlas o estás autorizado a probar. Prueba solo con autorización.

¿Quieres saber si tu infraestructura está expuesta a esto?

Hablar con TrueHacking →

Referencias

https://github.com/BerriAI/litellm/releases/tag/v1.83.7-stable https://github.com/BerriAI/litellm/security/advisories/GHSA-xqmj-j6mv-4862