How is CVE-2026-49468 exploited?

Network reachability (required): The attacker must be able to reach the LiteLLM service over the network; the CVSS vector specifies AV:N, meaning any internet- or intranet-exposed instance is in scope. Authentication (not-required): No credentials are needed; PR:N means the attacker exploits the Host header injection before any authentication check is applied. Victim interaction (not-required): The attack is fully server-side; UI:N means no user needs to click a link or take any action for exploitation to succeed. Attack complexity (info): The base exploit is condition-free (AC:L), though AT:P indicates a specific deployment configuration or timing condition must be present, making opportunistic mass exploitation somewhat less reliable.

What is the impact of CVE-2026-49468?

The attacker bypasses authentication and reads all data handled by the LiteLLM proxy, including API keys, model routing configuration, and any request or response payloads in transit. The attacker can write to the proxy, enabling injection of arbitrary LLM requests, modification of routing rules, or manipulation of downstream API calls sent to connected LLM providers. The attacker can crash or degrade the LiteLLM service, disrupting AI Gateway availability for all workloads that depend on it. Because SC, SI, and SA are all rated High, impact extends beyond the proxy itself to any connected systems, including upstream LLM provider accounts and downstream applications consuming LiteLLM responses.

Back to search

CRITICALCVE-2026-49468Published 2026-06-22Modified 2026-06-22CNA GitHub_M

CVE-2026-49468: LiteLLM: Authentication Bypass via Host Header Injection

LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. Prior to 1.84.0, This vulnerability is fixed in 1.84.0.

CVSS v4.0: 9.5
Severity: CRITICAL
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

An authentication bypass vulnerability exists in LiteLLM, an AI Gateway proxy server that routes requests to large language model APIs. An unauthenticated attacker can reach the service over the network and manipulate the HTTP Host header to bypass authentication controls, requiring no credentials and no victim interaction. Successful exploitation grants the attacker full read, write, and availability impact across both the vulnerable component and any systems it can reach. HarborGuard tracks the upstream advisory for patch availability, as no fix version has been published yet.

HarborGuard Coverage

Detection

Detection for CVE-2026-49468 is available across every HarborGuard environment; the CVE is matched against customer images within minutes of publication, including custom-built images that bundle LiteLLM as a dependency. Any image containing BerriAI/litellm below version 1.84.0 is flagged regardless of how it entered the registry.

Available

Triage

HarborGuard scores this CVE at CVSS v4.0 9.5 (Critical) and applies per-environment compliance policy weighting to surface it at the appropriate priority for each customer org. Triage routing is available to direct findings to the correct team inbox based on image ownership and policy configuration.

Available

Patch

Because no upstream fix version has been published, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment BerriAI ships a remediated release. For customers who opt into auto-remediation, the rebuild, regression run, and PR against affected workloads will trigger automatically once a fix version is confirmed.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must be able to reach the LiteLLM service over the network; the CVSS vector specifies AV:N, meaning any internet- or intranet-exposed instance is in scope.
AuthenticationNot required
No credentials are needed; PR:N means the attacker exploits the Host header injection before any authentication check is applied.
Victim interactionNot required
The attack is fully server-side; UI:N means no user needs to click a link or take any action for exploitation to succeed.
Attack complexityDetail
The base exploit is condition-free (AC:L), though AT:P indicates a specific deployment configuration or timing condition must be present, making opportunistic mass exploitation somewhat less reliable.

Blast Radius

The attacker bypasses authentication and reads all data handled by the LiteLLM proxy, including API keys, model routing configuration, and any request or response payloads in transit.
The attacker can write to the proxy, enabling injection of arbitrary LLM requests, modification of routing rules, or manipulation of downstream API calls sent to connected LLM providers.
The attacker can crash or degrade the LiteLLM service, disrupting AI Gateway availability for all workloads that depend on it.
Because SC, SI, and SA are all rated High, impact extends beyond the proxy itself to any connected systems, including upstream LLM provider accounts and downstream applications consuming LiteLLM responses.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix has been published for CVE-2026-49468, HarborGuard re-evaluates the advisory on every ingest cycle and will surface a patched-image rebuild the moment BerriAI publishes a remediated version of LiteLLM. For customers who opt into auto-remediation, that rebuild will immediately trigger a regression test run and a PR opened against affected workloads. In the meantime, compensating controls worth considering include network-policy isolation to restrict which services can reach the LiteLLM proxy, egress filtering to limit the proxy's ability to reach unintended LLM endpoints, and Host header validation enforced at the ingress or reverse-proxy layer in front of LiteLLM. Where compliance policy permits, HarborGuard can apply a suppression note to track accepted risk until the upstream patch is available.

See how HarborGuard automates this

Affected packages

BerriAI / litellm
< 1.84.0

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

References

Metrics

Get notified