CVE-2026-42203: LiteLLM SSTI — HIGH

Q: Is CVE-2026-42203 actively exploited?

No confirmed active exploitation of CVE-2026-42203 has been reported, but organizations should still patch proactively.

Q: How to fix CVE-2026-42203?

1. Patch: upgrade LiteLLM to v1.83.7 immediately (patch available as of 2026-05-08). 2. Network control: block or restrict POST /prompts/test at the reverse proxy or API gateway layer for all non-admin roles pending patching. 3. Credential rotation: rotate all LLM provider API keys (OpenAI, Anthropic, Azure, Cohere, etc.) and database credentials stored in the LiteLLM process environment. 4. Detection: query access logs for anomalous requests to /prompts/test containing template syntax patterns ({{, {%, <%, ${, __class__, __globals__). 5. Least privilege: audit and prune proxy API key distribution; revoke unused keys. 6. Secrets hygiene: migrate provider credentials from environment variables to a secrets manager (Vault, AWS Secrets Manager) to limit blast radius of future process-level compromises.

Q: What systems are affected by CVE-2026-42203?

This vulnerability affects the following AI/ML architecture patterns: LLM API gateways, model serving, agent frameworks, RAG pipelines, multi-tenant AI platforms.

Q: What is the CVSS score for CVE-2026-42203?

CVE-2026-42203 has a CVSS v3.1 base score of 8.8 (HIGH). The EPSS exploitation probability is 0.31%.

CISO Take

LiteLLM's POST /prompts/test endpoint renders user-supplied prompt templates without sandboxing, allowing any authenticated API key holder to execute arbitrary code inside the LiteLLM Proxy process. This matters beyond a standard RCE because LiteLLM sits as the AI gateway chokepoint in many enterprise stacks, meaning its process environment typically stores credentials for every upstream LLM provider — OpenAI, Anthropic, Azure, Cohere — plus database connection strings. The EPSS percentile places this in the top 86% of vulnerabilities most likely to be exploited, and the low bar for exploitation (any valid proxy API key, not admin) dramatically widens the attacker pool to contractors, developers, or compromised CI/CD pipelines. Patch to LiteLLM v1.83.7 immediately and, as an interim control, block or restrict the /prompts/test endpoint at the reverse proxy layer while rotating all provider API keys accessible to the LiteLLM process.

Sources: NVD GitHub Advisory EPSS ATLAS

What is the risk?

HIGH effective risk despite the absence of a published CVSS score. The attack requires only a valid proxy API key — not admin privileges — making the realistic attacker pool every developer, contractor, or automated service account that has LiteLLM access. Server-side template injection (CWE-1336) enabling full RCE in an AI gateway is especially damaging because the gateway process aggregates credentials for the entire AI supply chain. EPSS top-86th-percentile signals exploitation probability is significant once a PoC surfaces, and the simplicity of SSTI payloads (well-documented, copy-paste exploits exist for common template engines) makes this trivially weaponizable once the template engine is identified.

How does the attack unfold?

Initial Access

Attacker obtains a valid LiteLLM proxy API key through credential theft, a leaked secret in a public repository, or a compromised developer account.

AML.T0012

Exploitation

Attacker sends a crafted POST request to /prompts/test with a malicious template payload embedding server-side execution syntax targeting the unsandboxed template renderer.

AML.T0049

Command Execution

The template engine renders the payload without sandboxing, executing arbitrary OS commands inside the LiteLLM proxy process with the process owner's privileges.

AML.T0050

Credential Harvesting

Attacker reads the process environment to exfiltrate all LLM provider API keys, database credentials, and other secrets, enabling full downstream AI supply chain compromise.

AML.T0055

Initial Access

Attacker obtains a valid LiteLLM proxy API key through credential theft, a leaked secret in a public repository, or a compromised developer account.

AML.T0012

Exploitation

Attacker sends a crafted POST request to /prompts/test with a malicious template payload embedding server-side execution syntax targeting the unsandboxed template renderer.

AML.T0049

Command Execution

The template engine renders the payload without sandboxing, executing arbitrary OS commands inside the LiteLLM proxy process with the process owner's privileges.

AML.T0050

Credential Harvesting

Attacker reads the process environment to exfiltrate all LLM provider API keys, database credentials, and other secrets, enabling full downstream AI supply chain compromise.

AML.T0055

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
LiteLLM	pip	—	No patch
51.0K OpenSSF 6.1 6 dependents Pushed 2d ago 38% patched ~38d to patch Full package profile →

Do you use LiteLLM? You're affected.

How severe is it?

CVSS 3.1

8.8 / 10

EPSS

0.3%

chance of exploitation in 30 days

Higher than 23% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

No known exploitation

Sophistication

Moderate

What is the attack surface?

AV Network

AC Low

PR Low

UI None

S Unchanged

C High

I High

A High

What should I do?

6 steps

Patch: upgrade LiteLLM to v1.83.7 immediately (patch available as of 2026-05-08).
Network control: block or restrict POST /prompts/test at the reverse proxy or API gateway layer for all non-admin roles pending patching.
Credential rotation: rotate all LLM provider API keys (OpenAI, Anthropic, Azure, Cohere, etc.) and database credentials stored in the LiteLLM process environment.
Detection: query access logs for anomalous requests to /prompts/test containing template syntax patterns ({{, {%, <%, ${, __class__, __globals__).
Least privilege: audit and prune proxy API key distribution; revoke unused keys.
Secrets hygiene: migrate provider credentials from environment variables to a secrets manager (Vault, AWS Secrets Manager) to limit blast radius of future process-level compromises.

What does CISA's SSVC say?

Decision Track

Exploitation none

Automatable No

Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Code Execution Data Extraction API Inference AML.T0012 - Valid Accounts AML.T0049 - Exploit Public-Facing Application AML.T0050 - Command and Scripting Interpreter AML.T0055 - Unsecured Credentials AML.T0106 - Exploitation for Credential Access

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 9 - Risk management system

ISO 42001

A.6.2.3 - Security of AI systems in operation

NIST AI RMF

MANAGE 2.2 - Risks and benefits of AI system components are examined and documented

OWASP LLM Top 10

LLM01 - Prompt Injection LLM02 - Sensitive Information Disclosure

Frequently Asked Questions

What is CVE-2026-42203?

LiteLLM's POST /prompts/test endpoint renders user-supplied prompt templates without sandboxing, allowing any authenticated API key holder to execute arbitrary code inside the LiteLLM Proxy process. This matters beyond a standard RCE because LiteLLM sits as the AI gateway chokepoint in many enterprise stacks, meaning its process environment typically stores credentials for every upstream LLM provider — OpenAI, Anthropic, Azure, Cohere — plus database connection strings. The EPSS percentile places this in the top 86% of vulnerabilities most likely to be exploited, and the low bar for exploitation (any valid proxy API key, not admin) dramatically widens the attacker pool to contractors, developers, or compromised CI/CD pipelines. Patch to LiteLLM v1.83.7 immediately and, as an interim control, block or restrict the /prompts/test endpoint at the reverse proxy layer while rotating all provider API keys accessible to the LiteLLM process.

Is CVE-2026-42203 actively exploited?

No confirmed active exploitation of CVE-2026-42203 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-42203?

1. Patch: upgrade LiteLLM to v1.83.7 immediately (patch available as of 2026-05-08). 2. Network control: block or restrict POST /prompts/test at the reverse proxy or API gateway layer for all non-admin roles pending patching. 3. Credential rotation: rotate all LLM provider API keys (OpenAI, Anthropic, Azure, Cohere, etc.) and database credentials stored in the LiteLLM process environment. 4. Detection: query access logs for anomalous requests to /prompts/test containing template syntax patterns ({{, {%, <%, ${, __class__, __globals__). 5. Least privilege: audit and prune proxy API key distribution; revoke unused keys. 6. Secrets hygiene: migrate provider credentials from environment variables to a secrets manager (Vault, AWS Secrets Manager) to limit blast radius of future process-level compromises.

What systems are affected by CVE-2026-42203?

This vulnerability affects the following AI/ML architecture patterns: LLM API gateways, model serving, agent frameworks, RAG pipelines, multi-tenant AI platforms.

What is the CVSS score for CVE-2026-42203?

CVE-2026-42203 has a CVSS v3.1 base score of 8.8 (HIGH). The EPSS exploitation probability is 0.31%.

What is the AI security impact?

Affected AI Architectures

LLM API gatewaysmodel servingagent frameworksRAG pipelinesmulti-tenant AI platforms

MITRE ATLAS Techniques

AML.T0012 Valid Accounts

AML.T0049 Exploit Public-Facing Application

AML.T0050 Command and Scripting Interpreter

AML.T0055 Unsecured Credentials

AML.T0106 Exploitation for Credential Access

Compliance Controls Affected

EU AI Act: Article 9

ISO 42001: A.6.2.3

NIST AI RMF: MANAGE 2.2

OWASP LLM Top 10: LLM01, LLM02

What are the technical details?

Original Advisory

LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. From version 1.80.5 to before version 1.83.7, the POST /prompts/test endpoint accepted user-supplied prompt templates and rendered them without sandboxing. A crafted template could run arbitrary code inside the LiteLLM Proxy process. The endpoint only checks that the caller presents a valid proxy API key, so any authenticated user could reach it. Depending on how the proxy is deployed, this could expose secrets in the process environment (such as provider API keys or database credentials) and allow commands to be run on the host. This issue has been patched in version 1.83.7.

Exploitation Scenario

An attacker with a valid LiteLLM proxy API key — obtained via a leaked developer credential in a public repo, a compromised CI/CD secret, or an insider — sends POST /prompts/test with a body containing a Jinja2 server-side template injection payload such as {{config.__class__.__init__.__globals__['os'].popen('env').read()}}. The endpoint validates the API key, then passes the template to the unsandboxed renderer, which executes the OS command in the LiteLLM process context. The response returns the full environment dump including OPENAI_API_KEY, ANTHROPIC_API_KEY, DATABASE_URL, and any other secrets. The attacker now controls all upstream LLM provider accounts, can pivot to any cloud resources attached to those keys, and has a foothold on the host for further lateral movement.

Weaknesses (CWE)

CWE-1336 Improper Neutralization of Special Elements Used in a Template Engine Primary

CWE-1336 — Improper Neutralization of Special Elements Used in a Template Engine: The product uses a template engine to insert or process externally-influenced input, but it does not neutralize or incorrectly neutralizes special elements or syntax that can be interpreted as template expressions or other code directives when processed by the engine.

[Architecture and Design] Choose a template engine that offers a sandbox or restricted mode, or at least limits the power of any available expressions, function calls, or commands.
[Implementation] Use the template engine's sandbox or restricted mode, if available.

Source: MITRE CWE corpus.