CVE-2026-49468: LiteLLM auth bypass

Q: Is CVE-2026-49468 actively exploited?

No confirmed active exploitation of CVE-2026-49468 has been reported, but organizations should still patch proactively.

Q: How to fix CVE-2026-49468?

1. Upgrade litellm to >= 1.84.0 — no configuration change required post-upgrade. 2. If unable to patch immediately, place the proxy behind a CDN (Cloudflare), WAF, or reverse proxy (nginx, Caddy) with explicit server_name allowlists to validate and normalize Host headers before forwarding. 3. Restrict network access to the proxy listener to trusted internal CIDR ranges via firewall rules as an additional control. 4. Detection: audit proxy access logs for requests with Host headers that do not match the canonical proxy hostname (unexpected domains, IP literals, port variants, internal hostnames). 5. Rotate all LLM API keys and virtual keys accessible via management routes if exposure cannot be ruled out for the affected version window.

CISO Take

A Host-header parsing flaw in LiteLLM's proxy auth layer (litellm < 1.84.0) lets an unauthenticated attacker reach protected management routes by crafting a Host header that makes the auth gate evaluate a different path than FastAPI actually dispatches, exploiting CWE-290 (Authentication Bypass by Spoofing). LiteLLM is the de facto multi-provider LLM gateway in many enterprise AI stacks — a successful bypass exposes management APIs that hold upstream LLM API keys (OpenAI, Anthropic, etc.), model routing rules, and spending controls, making the blast radius significant beyond the 6 tracked downstream dependents. EPSS places this in the top 80th percentile for exploitation likelihood and the technique requires no AI/ML knowledge whatsoever, just standard HTTP header manipulation. Upgrade to litellm 1.84.0 immediately; if patching is blocked, place the proxy behind a CDN, WAF, or reverse proxy with explicit server_name allowlists — and rotate any LLM API keys accessible via management routes as a precaution.

Sources: NVD EPSS GitHub Advisory ATLAS OpenSSF

What is the risk?

HIGH risk for self-hosted LiteLLM proxy deployments exposed without an upstream host-validating layer. The vulnerability is trivially exploitable — no specialized knowledge required beyond basic HTTP tooling. Successful exploitation of management routes (/key, /user, /model, /spend) can expose LLM API keys, enable unauthorized model routing to attacker-controlled endpoints, create privileged access tokens, and remove rate-limiting or spending controls enabling cost harvesting. Cloud-hosted LiteLLM and deployments behind Cloudflare, nginx with server_name allowlists, or cloud load balancers are explicitly not affected, limiting exposure to bare-metal or container deployments with direct network access.

How does the attack unfold?

Initial Access

Attacker identifies an internet-exposed LiteLLM proxy without an upstream CDN or WAF and sends HTTP requests with crafted Host headers to probe the auth boundary.

AML.T0049

Auth Gate Evasion

The malformed Host header causes get_request_route() in auth_utils.py to resolve an unprotected or whitelisted route, skipping authentication while FastAPI dispatches the request to the real protected management endpoint.

AML.T0107

Credential Exfiltration

Attacker iterates unauthenticated management endpoints (/key/list, /model/info, /user/info) to enumerate and extract upstream LLM provider API keys and virtual keys from the proxy database.

AML.T0055

Impact

Stolen API keys enable unauthorized LLM inference at the victim's expense, manipulation of model routing to attacker-controlled endpoints, or escalated compromise of upstream LLM provider accounts.

AML.T0034

Initial Access

Attacker identifies an internet-exposed LiteLLM proxy without an upstream CDN or WAF and sends HTTP requests with crafted Host headers to probe the auth boundary.

AML.T0049

Auth Gate Evasion

The malformed Host header causes get_request_route() in auth_utils.py to resolve an unprotected or whitelisted route, skipping authentication while FastAPI dispatches the request to the real protected management endpoint.

AML.T0107

Credential Exfiltration

Attacker iterates unauthenticated management endpoints (/key/list, /model/info, /user/info) to enumerate and extract upstream LLM provider API keys and virtual keys from the proxy database.

AML.T0055

Impact

Stolen API keys enable unauthorized LLM inference at the victim's expense, manipulation of model routing to attacker-controlled endpoints, or escalated compromise of upstream LLM provider accounts.

AML.T0034

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
LiteLLM	pip	< 1.84.0	`1.84.0`
50.3K OpenSSF 6.0 6 dependents Pushed 2d ago 52% patched ~41d to patch Full package profile →

Do you use LiteLLM? You're affected.

How severe is it?

CVSS 3.1

N/A

EPSS

0.1%

chance of exploitation in 30 days

Higher than 20% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

No known exploitation

Sophistication

Trivial

What should I do?

5 steps

Upgrade litellm to >= 1.84.0 — no configuration change required post-upgrade.
If unable to patch immediately, place the proxy behind a CDN (Cloudflare), WAF, or reverse proxy (nginx, Caddy) with explicit server_name allowlists to validate and normalize Host headers before forwarding.
Restrict network access to the proxy listener to trusted internal CIDR ranges via firewall rules as an additional control.
Detection: audit proxy access logs for requests with Host headers that do not match the canonical proxy hostname (unexpected domains, IP literals, port variants, internal hostnames).
Rotate all LLM API keys and virtual keys accessible via management routes if exposure cannot be ruled out for the affected version window.

How is it classified?

Auth Bypass Data Extraction Inference API AML.T0034 - Cost Harvesting AML.T0049 - Exploit Public-Facing Application AML.T0055 - Unsecured Credentials AML.T0107 - Exploitation for Defense Evasion

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Art. 15 - Accuracy, robustness and cybersecurity

ISO 42001

6.1.2 - AI risk assessment 9.1 - Monitoring, measurement, analysis and evaluation

NIST AI RMF

MANAGE 2.4 - Residual risks are addressed

OWASP LLM Top 10

LLM07 - Insecure Plugin Design

Frequently Asked Questions

What is CVE-2026-49468?

A Host-header parsing flaw in LiteLLM's proxy auth layer (litellm < 1.84.0) lets an unauthenticated attacker reach protected management routes by crafting a Host header that makes the auth gate evaluate a different path than FastAPI actually dispatches, exploiting CWE-290 (Authentication Bypass by Spoofing). LiteLLM is the de facto multi-provider LLM gateway in many enterprise AI stacks — a successful bypass exposes management APIs that hold upstream LLM API keys (OpenAI, Anthropic, etc.), model routing rules, and spending controls, making the blast radius significant beyond the 6 tracked downstream dependents. EPSS places this in the top 80th percentile for exploitation likelihood and the technique requires no AI/ML knowledge whatsoever, just standard HTTP header manipulation. Upgrade to litellm 1.84.0 immediately; if patching is blocked, place the proxy behind a CDN, WAF, or reverse proxy with explicit server_name allowlists — and rotate any LLM API keys accessible via management routes as a precaution.

Is CVE-2026-49468 actively exploited?

No confirmed active exploitation of CVE-2026-49468 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-49468?

1. Upgrade litellm to >= 1.84.0 — no configuration change required post-upgrade. 2. If unable to patch immediately, place the proxy behind a CDN (Cloudflare), WAF, or reverse proxy (nginx, Caddy) with explicit server_name allowlists to validate and normalize Host headers before forwarding. 3. Restrict network access to the proxy listener to trusted internal CIDR ranges via firewall rules as an additional control. 4. Detection: audit proxy access logs for requests with Host headers that do not match the canonical proxy hostname (unexpected domains, IP literals, port variants, internal hostnames). 5. Rotate all LLM API keys and virtual keys accessible via management routes if exposure cannot be ruled out for the affected version window.

What systems are affected by CVE-2026-49468?

This vulnerability affects the following AI/ML architecture patterns: LLM API gateways, model serving, agent frameworks, RAG pipelines, multi-provider LLM routing.

What is the CVSS score for CVE-2026-49468?

No CVSS score has been assigned yet.

What is the AI security impact?

Affected AI Architectures

LLM API gatewaysmodel servingagent frameworksRAG pipelinesmulti-provider LLM routing

MITRE ATLAS Techniques

AML.T0034 Cost Harvesting

AML.T0049 Exploit Public-Facing Application

AML.T0055 Unsecured Credentials

AML.T0107 Exploitation for Defense Evasion

Compliance Controls Affected

EU AI Act: Art. 15

ISO 42001: 6.1.2, 9.1

NIST AI RMF: MANAGE 2.4

OWASP LLM Top 10: LLM07

What are the technical details?

Original Advisory

### Impact A Host-header parsing flaw in the LiteLLM proxy could, under specific conditions, allow unauthenticated access to protected management routes. The auth layer derived the effective route from `request.url.path` in `litellm/proxy/auth/auth_utils.py::get_request_route()`, which Starlette reconstructs from the `Host` header. A crafted `Host` could therefore make the auth gate evaluate a different route from the one FastAPI dispatched. **Most deployments are not affected.** The bypass is blocked by any upstream layer that validates or normalizes `Host`, such as: - a CDN or WAF, such as Cloudflare - a reverse proxy with `server_name` allowlists - a host-based load balancer **LiteLLM Cloud customers are not affected.** ### Patches Fixed in **`1.84.0`**. Upgrade to `1.84.0` or later. No configuration change is required. ### Workarounds If upgrading is not immediately possible, place the proxy behind an upstream component that validates or normalizes the `Host` header before forwarding (a CDN/WAF, a reverse proxy with explicit `server_name` allowlists, or a cloud load balancer with host-based routing rules), or otherwise restrict network access to the proxy listener. ### References - Patched release: [`v1.84.0`](https://github.com/BerriAI/litellm/releases/tag/v1.84.0) **Discovery Credit**: Le The Thang (KCSC) and Kim Ngoc Chung (One Mount Group)

Exploitation Scenario

An attacker identifies a LiteLLM proxy exposed on a non-standard port without an upstream CDN or reverse proxy. They send an HTTP request with a crafted Host header — e.g., Host: localhost or Host: 127.0.0.1 — designed to make auth_utils.py's get_request_route() resolve the effective path to an internal or unprotected route, bypassing the authentication check. FastAPI simultaneously dispatches the request to the actual protected management endpoint as normal. The attacker iterates against known management paths (/key/list, /user/info, /model/info, /spend/logs) and successfully reads all configured upstream LLM API keys and virtual key credentials. Those keys are then used to run unauthorized inference at the victim's expense or to pivot into the victim's OpenAI/Anthropic accounts for further access.

Weaknesses (CWE)

CWE-290 Authentication Bypass by Spoofing Primary

CWE-290 — Authentication Bypass by Spoofing: This attack-focused weakness is caused by incorrectly implemented authentication schemes that are subject to spoofing attacks.

Source: MITRE CWE corpus.