PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-42203 BerriAI CVE debrief

A high-severity vulnerability, CVE-2026-42203, was found in LiteLLM Proxy Server versions 1.80.5 to before 1.83.7. The POST /prompts/test endpoint accepted user-supplied prompt templates without sandboxing, allowing crafted templates to run arbitrary code inside the LiteLLM Proxy process. This issue, patched in version 1.83.7, required only a valid proxy API key for exploitation, potentially exposing process environment secrets and allowing host command execution.

Vendor
BerriAI
Product
litellm
CVSS
HIGH 8.6
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-08
Original CVE updated
2026-06-30
Advisory published
2026-05-08
Advisory updated
2026-06-30

Who should care

Organizations using LiteLLM Proxy Server versions 1.80.5 to before 1.83.7 should prioritize patching to prevent potential code execution and data exposure. This vulnerability could allow attackers to access sensitive information and execute commands on the host system.

Technical summary

The LiteLLM Proxy Server, used as an AI Gateway to call LLM APIs, had a vulnerability in its POST /prompts/test endpoint. This endpoint accepted user-supplied prompt templates without proper sandboxing, allowing for arbitrary code execution within the LiteLLM Proxy process. The vulnerability existed from version 1.80.5 up to but not including version 1.83.7. Exploitation required only a valid proxy API key, making it accessible to any authenticated user. Successful exploitation could lead to the exposure of sensitive information in the process environment, such as provider API keys or database credentials, and potentially allow for command execution on the host system.

Defensive priority

High priority should be given to patching LiteLLM Proxy Server instances to version 1.83.7 or later. In the meantime, restricting access to the POST /prompts/test endpoint and closely monitoring the environment for suspicious activity can help mitigate the risk.

Recommended defensive actions

  • Apply the patch by updating LiteLLM Proxy Server to version 1.83.7 or later.
  • Restrict access to the POST /prompts/test endpoint to only necessary personnel.
  • Monitor the environment for suspicious activity and potential code execution attempts.
  • Review and rotate any potentially exposed secrets in the process environment.
  • Implement additional security measures, such as sandboxing or input validation, for user-supplied prompt templates.

Evidence notes

The CVE-2026-42203 vulnerability was publicly disclosed on May 8, 2026, and last modified on June 30, 2026. The vulnerability has a CVSS score of 8.6 and is considered high severity. LiteLLM has patched the issue in version 1.83.7. Multiple sources, including NVD and Red Hat, have documented this vulnerability.

Official resources

This article was AI-assisted and based on the supplied source corpus.