AI Threat Alert AI Threat Alert

GHSA-xqmj-j6mv-4862

GHSA-xqmj-j6mv-4862 HIGH
Published April 24, 2026

### Impact The `POST /prompts/test` endpoint accepted user-supplied prompt templates and rendered them without sandboxing. A crafted template could run arbitrary code inside the LiteLLM Proxy process. The endpoint only checks that the caller presents a valid proxy API key, so any authenticated...

Full CISO analysis pending enrichment.

Affected Systems

Package Ecosystem Vulnerable Range Patched
litellm pip >= 1.80.5, < 1.83.7 1.83.7
43.8K OpenSSF 6.2 2.0K dependents Pushed 5d ago 56% patched ~47d to patch Full package profile →

Do you use litellm? You're affected.

Severity & Risk

CVSS 3.1
N/A
EPSS
N/A
Exploitation Status
No known exploitation
Sophistication
N/A

Recommended Action

Patch available

Update litellm to version 1.83.7

Compliance Impact

Compliance analysis pending. Sign in for full compliance mapping when available.

Frequently Asked Questions

What is GHSA-xqmj-j6mv-4862?

LiteLLM: Server-Side Template Injection in /prompts/test endpoint

Is GHSA-xqmj-j6mv-4862 actively exploited?

No confirmed active exploitation of GHSA-xqmj-j6mv-4862 has been reported, but organizations should still patch proactively.

How to fix GHSA-xqmj-j6mv-4862?

Update to patched version: litellm 1.83.7.

What is the CVSS score for GHSA-xqmj-j6mv-4862?

No CVSS score has been assigned yet.

Technical Details

NVD Description

### Impact The `POST /prompts/test` endpoint accepted user-supplied prompt templates and rendered them without sandboxing. A crafted template could run arbitrary code inside the LiteLLM Proxy process. The endpoint only checks that the caller presents a valid proxy API key, so any authenticated user could reach it. Depending on how the proxy is deployed, this could expose secrets in the process environment (such as provider API keys or database credentials) and allow commands to be run on the host. Proxy deployments running an affected version are in scope. ### Patches The issue is fixed in **`1.83.7-stable`**. The fix switches the prompt template renderer to a sandboxed environment that blocks the attributes this attack relies on. LiteLLM recommends upgrading to `1.83.7-stable` or later. ### Workarounds If upgrading is not immediately possible: 1. Block `POST /prompts/test` at your reverse proxy or API gateway. 2. Review and rotate API keys that should not have access to prompt management routes.

Weaknesses (CWE)

CWE-1336 Improper Neutralization of Special Elements Used in a Template Engine Primary

References

Timeline

Published
April 24, 2026
Last Modified
April 24, 2026
First Seen
April 24, 2026

Related Vulnerabilities

CRITICAL CVE-2026-35030 9.1

LiteLLM: auth bypass via JWT cache key collision

Same package: litellm
HIGH CVE-2026-40217 8.8

LiteLLM: RCE via bytecode rewriting in guardrails API

Same package: litellm
HIGH CVE-2024-6825 8.8

LiteLLM: RCE via post_call_rules callback injection

Same package: litellm
HIGH CVE-2025-0628 8.1

litellm: privilege escalation viewer→proxy admin via bad API key

Same package: litellm
HIGH CVE-2024-4888 8.1

litellm: arbitrary file deletion via audio endpoint

Same package: litellm
Back to Threat Feed