PatchSiren cyber security CVE debrief
CVE-2026-42203 BerriAI CVE debrief
A high-severity vulnerability, CVE-2026-42203, was found in LiteLLM Proxy Server versions 1.80.5 to before 1.83.7. The POST /prompts/test endpoint accepted user-supplied prompt templates without sandboxing, allowing crafted templates to run arbitrary code inside the LiteLLM Proxy process. This issue, patched in version 1.83.7, required only a valid proxy API key for exploitation, potentially exposing process environment secrets and allowing host command execution.
- Vendor
- BerriAI
- Product
- litellm
- CVSS
- HIGH 8.6
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-08
- Original CVE updated
- 2026-06-30
- Advisory published
- 2026-05-08
- Advisory updated
- 2026-06-30
Who should care
Organizations using LiteLLM Proxy Server versions 1.80.5 to before 1.83.7 should prioritize patching to prevent potential code execution and data exposure. This vulnerability could allow attackers to access sensitive information and execute commands on the host system.
Technical summary
The LiteLLM Proxy Server, used as an AI Gateway to call LLM APIs, had a vulnerability in its POST /prompts/test endpoint. This endpoint accepted user-supplied prompt templates without proper sandboxing, allowing for arbitrary code execution within the LiteLLM Proxy process. The vulnerability existed from version 1.80.5 up to but not including version 1.83.7. Exploitation required only a valid proxy API key, making it accessible to any authenticated user. Successful exploitation could lead to the exposure of sensitive information in the process environment, such as provider API keys or database credentials, and potentially allow for command execution on the host system.
Defensive priority
High priority should be given to patching LiteLLM Proxy Server instances to version 1.83.7 or later. In the meantime, restricting access to the POST /prompts/test endpoint and closely monitoring the environment for suspicious activity can help mitigate the risk.
Recommended defensive actions
- Apply the patch by updating LiteLLM Proxy Server to version 1.83.7 or later.
- Restrict access to the POST /prompts/test endpoint to only necessary personnel.
- Monitor the environment for suspicious activity and potential code execution attempts.
- Review and rotate any potentially exposed secrets in the process environment.
- Implement additional security measures, such as sandboxing or input validation, for user-supplied prompt templates.
Evidence notes
The CVE-2026-42203 vulnerability was publicly disclosed on May 8, 2026, and last modified on June 30, 2026. The vulnerability has a CVSS score of 8.6 and is considered high severity. LiteLLM has patched the issue in version 1.83.7. Multiple sources, including NVD and Red Hat, have documented this vulnerability.
Official resources
-
CVE-2026-42203 CVE record
CVE.org
-
CVE-2026-42203 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Product, Release Notes
-
Mitigation or vendor reference
[email protected] - Mitigation, Patch, Vendor Advisory
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
This article was AI-assisted and based on the supplied source corpus.