Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2026-42271 (GCVE-0-2026-42271)
Vulnerability from cvelistv5 – Published: 2026-05-08 03:35 – Updated: 2026-06-09 03:55Title
LiteLLM: Authenticated command execution via MCP stdio test endpoints
Summary
LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. From version 1.74.2 to before version 1.83.7, two endpoints used to preview an MCP server before saving it — POST /mcp-rest/test/connection and POST /mcp-rest/test/tools/list — accepted a full server configuration in the request body, including the command, args, and env fields used by the stdio transport. When called with a stdio configuration, the endpoints attempted to connect, which spawned the supplied command as a subprocess on the proxy host with the privileges of the proxy process. The endpoints were gated only by a valid proxy API key, with no role check. Any authenticated user — including holders of low-privilege internal-user keys — could therefore run arbitrary commands on the host. This issue has been patched in version 1.83.7.
Severity
SSVC
Exploitation: active
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/BerriAI/litellm/security/advis… | x_refsource_CONFIRM |
| https://github.com/BerriAI/litellm/releases/tag/v… | x_refsource_MISC |
| https://www.cisa.gov/known-exploited-vulnerabilit… | government-resource |
CISA
Known Exploited Vulnerability - GCVE BCP-07 Compliant
KEV entry ID: fc2749e6-b097-4d27-bc2f-6df29375da7f
Exploited: Yes
Timestamps
First Seen: 2026-06-08
Asserted: 2026-06-08
Scope
Notes: KEV entry: BerriAI LiteLLM Command Injection Vulnerability | Affected: BerriAI / LiteLLM | Description: BerriAI LiteLLM contains a command injection vulnerability that could allow any authenticated user, including holders of low-privilege internal-user keys, to run arbitrary commands on the host. | Required action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable. | Due date: 2026-06-22 | Known ransomware campaign use (KEV): Unknown | Notes (KEV): This vulnerability affects a common open-source component, third-party library, or a protocol used by different products. Please check with specific vendors for information on patching status. For more information, please see: https://github.com/BerriAI/litellm/security/advisories/GHSA-v4p8-mg3p-g94g ; https://github.com/BerriAI/litellm/releases/tag/v1.83.7-stable ; https://nvd.nist.gov/vuln/detail/CVE-2026-42271
Evidence
Type: Vendor Report
Signal: Successful Exploitation
Confidence: 80%
Source: cisa-kev
Details
| Cwes | CWE-78 CWE-77 |
|---|---|
| Feed | CISA Known Exploited Vulnerabilities Catalog |
| Product | LiteLLM |
| Due Date | 2026-06-22 |
| Date Added | 2026-06-08 |
| Vendorproject | BerriAI |
| Vulnerabilityname | BerriAI LiteLLM Command Injection Vulnerability |
| Knownransomwarecampaignuse | Unknown |
References
Created: 2026-06-08 18:00 UTC
| Updated: 2026-06-08 18:00 UTC
KEVIntel
Known Exploited Vulnerability - GCVE BCP-07 Compliant
KEV entry ID: 9a132474-34d7-4126-9585-beafa55e1c1a
Exploited: Yes
Timestamps
First Seen: 2026-06-08
Asserted: 2026-06-08
Scope
Notes: KEVIntel entry: LiteLLM: Authenticated command execution via MCP stdio test endpoints | Affected: BerriAI / litellm | CVSS: 8.7 (HIGH) | EPSS: 0.53701 | Used in malware: unknown | Not yet in CISA KEV: False
Evidence
Type: Public Report
Signal: Successful Exploitation
Confidence: 70%
Source: kevintel
Details
| Feed | KEVIntel (kevintel.com) |
|---|---|
| Title | LiteLLM: Authenticated command execution via MCP stdio test endpoints |
| Vendor | BerriAI |
| Product | litellm |
| Added Date | 2026-06-08T18:00:45.030Z |
| Cvss Score | 8.7 |
| Epss Score | 0.53701 |
| Cvss Severity | HIGH |
| Epss Percentile | 0.98861 |
| Used In Malware | unknown |
| Ahead Of Cisa Kev | None |
| Not Yet In Cisa Kev | False |
References
Created: 2026-06-23 14:03 UTC
| Updated: 2026-06-23 14:03 UTC
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-42271",
"options": [
{
"Exploitation": "active"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-08T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
},
{
"other": {
"content": {
"dateAdded": "2026-06-08",
"reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-42271"
},
"type": "kev"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-09T03:55:26.815Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"government-resource"
],
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-42271"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-06-08T00:00:00.000Z",
"value": "CVE-2026-42271 added to CISA KEV"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "litellm",
"vendor": "BerriAI",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.74.2, \u003c 1.83.7"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. From version 1.74.2 to before version 1.83.7, two endpoints used to preview an MCP server before saving it \u2014 POST /mcp-rest/test/connection and POST /mcp-rest/test/tools/list \u2014 accepted a full server configuration in the request body, including the command, args, and env fields used by the stdio transport. When called with a stdio configuration, the endpoints attempted to connect, which spawned the supplied command as a subprocess on the proxy host with the privileges of the proxy process. The endpoints were gated only by a valid proxy API key, with no role check. Any authenticated user \u2014 including holders of low-privilege internal-user keys \u2014 could therefore run arbitrary commands on the host. This issue has been patched in version 1.83.7."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-77",
"description": "CWE-77: Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-08T03:35:16.758Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/BerriAI/litellm/security/advisories/GHSA-v4p8-mg3p-g94g",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/BerriAI/litellm/security/advisories/GHSA-v4p8-mg3p-g94g"
},
{
"name": "https://github.com/BerriAI/litellm/releases/tag/v1.83.7-stable",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/BerriAI/litellm/releases/tag/v1.83.7-stable"
}
],
"source": {
"advisory": "GHSA-v4p8-mg3p-g94g",
"discovery": "UNKNOWN"
},
"title": "LiteLLM: Authenticated command execution via MCP stdio test endpoints"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-42271",
"datePublished": "2026-05-08T03:35:16.758Z",
"dateReserved": "2026-04-26T11:53:27.707Z",
"dateUpdated": "2026-06-09T03:55:26.815Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"cisa_known_exploited": {
"cveID": "CVE-2026-42271",
"cwes": "[\"CWE-78\", \"CWE-77\"]",
"dateAdded": "2026-06-08",
"dueDate": "2026-06-22",
"knownRansomwareCampaignUse": "Unknown",
"notes": "This vulnerability affects a common open-source component, third-party library, or a protocol used by different products. Please check with specific vendors for information on patching status. For more information, please see: https://github.com/BerriAI/litellm/security/advisories/GHSA-v4p8-mg3p-g94g ; https://github.com/BerriAI/litellm/releases/tag/v1.83.7-stable ; https://nvd.nist.gov/vuln/detail/CVE-2026-42271",
"product": "LiteLLM",
"requiredAction": "Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.",
"shortDescription": "BerriAI LiteLLM contains a command injection vulnerability that could allow any authenticated user, including holders of low-privilege internal-user keys, to run arbitrary commands on the host.",
"vendorProject": "BerriAI",
"vulnerabilityName": "BerriAI LiteLLM Command Injection Vulnerability"
},
"epss": {
"cve": "CVE-2026-42271",
"date": "2026-06-26",
"epss": "0.74993",
"percentile": "0.99444"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2026-42271\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-05-08T04:16:21.820\",\"lastModified\":\"2026-06-09T01:22:09.190\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. From version 1.74.2 to before version 1.83.7, two endpoints used to preview an MCP server before saving it \u2014 POST /mcp-rest/test/connection and POST /mcp-rest/test/tools/list \u2014 accepted a full server configuration in the request body, including the command, args, and env fields used by the stdio transport. When called with a stdio configuration, the endpoints attempted to connect, which spawned the supplied command as a subprocess on the proxy host with the privileges of the proxy process. The endpoints were gated only by a valid proxy API key, with no role check. Any authenticated user \u2014 including holders of low-privilege internal-user keys \u2014 could therefore run arbitrary commands on the host. This issue has been patched in version 1.83.7.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":8.7,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"PRESENT\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"HIGH\",\"vulnIntegrityImpact\":\"HIGH\",\"vulnAvailabilityImpact\":\"HIGH\",\"subConfidentialityImpact\":\"HIGH\",\"subIntegrityImpact\":\"NONE\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}],\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":8.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":5.9}]},\"cisaExploitAdd\":\"2026-06-08\",\"cisaActionDue\":\"2026-06-22\",\"cisaRequiredAction\":\"Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.\",\"cisaVulnerabilityName\":\"BerriAI LiteLLM Command Injection Vulnerability\",\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-77\"},{\"lang\":\"en\",\"value\":\"CWE-78\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:litellm:litellm:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"1.74.2\",\"versionEndExcluding\":\"1.83.7\",\"matchCriteriaId\":\"D249DFDB-5D0D-4053-A997-0900F77F9A13\"}]}]}],\"references\":[{\"url\":\"https://github.com/BerriAI/litellm/releases/tag/v1.83.7-stable\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Product\",\"Release Notes\"]},{\"url\":\"https://github.com/BerriAI/litellm/security/advisories/GHSA-v4p8-mg3p-g94g\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Mitigation\",\"Patch\",\"Vendor Advisory\"]},{\"url\":\"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-42271\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"tags\":[\"US Government Resource\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-42271\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"active\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-06-08T17:47:03.864516Z\"}}}, {\"other\": {\"type\": \"kev\", \"content\": {\"dateAdded\": \"2026-06-08\", \"reference\": \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-42271\"}}}], \"references\": [{\"url\": \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-42271\", \"tags\": [\"government-resource\"]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-05-08T14:31:02.765Z\"}, \"timeline\": [{\"lang\": \"en\", \"time\": \"2026-06-08T00:00:00.000Z\", \"value\": \"CVE-2026-42271 added to CISA KEV\"}]}], \"cna\": {\"title\": \"LiteLLM: Authenticated command execution via MCP stdio test endpoints\", \"source\": {\"advisory\": \"GHSA-v4p8-mg3p-g94g\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV4_0\": {\"version\": \"4.0\", \"baseScore\": 8.7, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:N/SA:N\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"PRESENT\", \"privilegesRequired\": \"LOW\", \"subIntegrityImpact\": \"NONE\", \"vulnIntegrityImpact\": \"HIGH\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"HIGH\", \"subConfidentialityImpact\": \"HIGH\", \"vulnConfidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"BerriAI\", \"product\": \"litellm\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003e= 1.74.2, \u003c 1.83.7\"}]}], \"references\": [{\"url\": \"https://github.com/BerriAI/litellm/security/advisories/GHSA-v4p8-mg3p-g94g\", \"name\": \"https://github.com/BerriAI/litellm/security/advisories/GHSA-v4p8-mg3p-g94g\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/BerriAI/litellm/releases/tag/v1.83.7-stable\", \"name\": \"https://github.com/BerriAI/litellm/releases/tag/v1.83.7-stable\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. From version 1.74.2 to before version 1.83.7, two endpoints used to preview an MCP server before saving it \\u2014 POST /mcp-rest/test/connection and POST /mcp-rest/test/tools/list \\u2014 accepted a full server configuration in the request body, including the command, args, and env fields used by the stdio transport. When called with a stdio configuration, the endpoints attempted to connect, which spawned the supplied command as a subprocess on the proxy host with the privileges of the proxy process. The endpoints were gated only by a valid proxy API key, with no role check. Any authenticated user \\u2014 including holders of low-privilege internal-user keys \\u2014 could therefore run arbitrary commands on the host. This issue has been patched in version 1.83.7.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-77\", \"description\": \"CWE-77: Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-78\", \"description\": \"CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-05-08T03:35:16.758Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2026-42271\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-06-08T19:58:23.479Z\", \"dateReserved\": \"2026-04-26T11:53:27.707Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-05-08T03:35:16.758Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
FKIE_CVE-2026-42271
Vulnerability from fkie_nvd - Published: 2026-05-08 04:16 - Updated: 2026-06-17 10:47
Severity
Summary
LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. From version 1.74.2 to before version 1.83.7, two endpoints used to preview an MCP server before saving it — POST /mcp-rest/test/connection and POST /mcp-rest/test/tools/list — accepted a full server configuration in the request body, including the command, args, and env fields used by the stdio transport. When called with a stdio configuration, the endpoints attempted to connect, which spawned the supplied command as a subprocess on the proxy host with the privileges of the proxy process. The endpoints were gated only by a valid proxy API key, with no role check. Any authenticated user — including holders of low-privilege internal-user keys — could therefore run arbitrary commands on the host. This issue has been patched in version 1.83.7.
References
| URL | Tags | ||
|---|---|---|---|
| security-advisories@github.com | https://github.com/BerriAI/litellm/releases/tag/v1.83.7-stable | Product, Release Notes | |
| security-advisories@github.com | https://github.com/BerriAI/litellm/security/advisories/GHSA-v4p8-mg3p-g94g | Mitigation, Patch, Vendor Advisory | |
| 134c704f-9b21-4f2e-91b3-4a467353bcc0 | https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-42271 | US Government Resource |
{
"affected": [
{
"affectedData": [
{
"product": "litellm",
"vendor": "BerriAI",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.74.2, \u003c 1.83.7"
}
]
}
],
"source": "security-advisories@github.com"
}
],
"cisaActionDue": "2026-06-22",
"cisaExploitAdd": "2026-06-08",
"cisaRequiredAction": "Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.",
"cisaVulnerabilityName": "BerriAI LiteLLM Command Injection Vulnerability",
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:litellm:litellm:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D249DFDB-5D0D-4053-A997-0900F77F9A13",
"versionEndExcluding": "1.83.7",
"versionStartIncluding": "1.74.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. From version 1.74.2 to before version 1.83.7, two endpoints used to preview an MCP server before saving it \u2014 POST /mcp-rest/test/connection and POST /mcp-rest/test/tools/list \u2014 accepted a full server configuration in the request body, including the command, args, and env fields used by the stdio transport. When called with a stdio configuration, the endpoints attempted to connect, which spawned the supplied command as a subprocess on the proxy host with the privileges of the proxy process. The endpoints were gated only by a valid proxy API key, with no role check. Any authenticated user \u2014 including holders of low-privilege internal-user keys \u2014 could therefore run arbitrary commands on the host. This issue has been patched in version 1.83.7."
}
],
"id": "CVE-2026-42271",
"lastModified": "2026-06-17T10:47:36.560",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "NOT_DEFINED",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"source": "security-advisories@github.com",
"type": "Secondary"
}
],
"ssvcV203": [
{
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"ssvcData": {
"id": "CVE-2026-42271",
"options": [
{
"exploitation": "active"
},
{
"automatable": "no"
},
{
"technicalImpact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-08T00:00:00+00:00",
"version": "2.0.3"
}
}
]
},
"published": "2026-05-08T04:16:21.820",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Product",
"Release Notes"
],
"url": "https://github.com/BerriAI/litellm/releases/tag/v1.83.7-stable"
},
{
"source": "security-advisories@github.com",
"tags": [
"Mitigation",
"Patch",
"Vendor Advisory"
],
"url": "https://github.com/BerriAI/litellm/security/advisories/GHSA-v4p8-mg3p-g94g"
},
{
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"tags": [
"US Government Resource"
],
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-42271"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-77"
},
{
"lang": "en",
"value": "CWE-78"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
}
GHSA-V4P8-MG3P-G94G
Vulnerability from github – Published: 2026-04-25 23:27 – Updated: 2026-06-09 13:07
VLAI
Summary
LiteLLM: Authenticated command execution via MCP stdio test endpoints
Details
Impact
Two endpoints used to preview an MCP server before saving it — POST /mcp-rest/test/connection and POST /mcp-rest/test/tools/list — accepted a full server configuration in the request body, including the command, args, and env fields used by the stdio transport. When called with a stdio configuration, the endpoints attempted to connect, which spawned the supplied command as a subprocess on the proxy host with the privileges of the proxy process.
The endpoints were gated only by a valid proxy API key, with no role check. Any authenticated user — including holders of low-privilege internal-user keys — could therefore run arbitrary commands on the host.
Patches
Fixed in 1.83.7. Both test endpoints now require the PROXY_ADMIN role, bringing them into line with the save endpoint.
Workarounds
If upgrading is not immediately possible, developers should block POST /mcp-rest/test/connection and POST /mcp-rest/test/tools/list at their reverse proxy or API gateway.
Severity
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "litellm"
},
"ranges": [
{
"events": [
{
"introduced": "1.74.2"
},
{
"fixed": "1.83.7"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-42271"
],
"database_specific": {
"cwe_ids": [
"CWE-77",
"CWE-78"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-25T23:27:54Z",
"nvd_published_at": "2026-05-08T04:16:21Z",
"severity": "HIGH"
},
"details": "### Impact\n\nTwo endpoints used to preview an MCP server before saving it \u2014 `POST /mcp-rest/test/connection` and `POST /mcp-rest/test/tools/list` \u2014 accepted a full server configuration in the request body, including the `command`, `args`, and `env` fields used by the stdio transport. When called with a stdio configuration, the endpoints attempted to connect, which spawned the supplied command as a subprocess on the proxy host with the privileges of the proxy process.\n\nThe endpoints were gated only by a valid proxy API key, with no role check. Any authenticated user \u2014 including holders of low-privilege internal-user keys \u2014 could therefore run arbitrary commands on the host.\n\n### Patches\n\nFixed in **`1.83.7`**. Both test endpoints now require the `PROXY_ADMIN` role, bringing them into line with the save endpoint.\n\n### Workarounds\n\nIf upgrading is not immediately possible, developers should block `POST /mcp-rest/test/connection` and `POST /mcp-rest/test/tools/list` at their reverse proxy or API gateway.",
"id": "GHSA-v4p8-mg3p-g94g",
"modified": "2026-06-09T13:07:06Z",
"published": "2026-04-25T23:27:54Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/BerriAI/litellm/security/advisories/GHSA-v4p8-mg3p-g94g"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42271"
},
{
"type": "PACKAGE",
"url": "https://github.com/BerriAI/litellm"
},
{
"type": "WEB",
"url": "https://github.com/BerriAI/litellm/releases/tag/v1.83.7-stable"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-42271"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "LiteLLM: Authenticated command execution via MCP stdio test endpoints"
}
NCSC-2026-0137
Vulnerability from csaf_ncscnl - Published: 2026-05-11 06:38 - Updated: 2026-05-11 06:38Summary
Kwetsbaarheden verholpen in LiteLLM door BerriAI
Notes
The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this page to enhance access to its information and security advisories. The use of this security advisory is subject to the following terms and conditions:
NCSC-NL makes every reasonable effort to ensure that the content of this page is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or continuous keeping up-to-date. The information contained in this security advisory is intended solely for the purpose of providing general information to professional users. No rights can be derived from the information provided therein.
NCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of this security advisory. This includes damage resulting from the inaccuracy of incompleteness of the information contained in the advisory.
This security advisory is subject to Dutch law. All disputes related to or arising from the use of this advisory will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings.
Feiten: BerriAI heeft kwetsbaarheden verholpen in LiteLLM, specifiek in versies 1.74.2 tot en met 1.83.6.
Interpretaties: LiteLLM is een veelgebruikte proxy om op gecentraliseerde wijze API's naar een groot aantal LLM systemen te beheren.
De eerste kwetsbaarheid betreft een SQL-injectie in het proxy API key verificatiemechanisme, waardoor niet-geauthenticeerde aanvallers SQL-injectieaanvallen kunnen uitvoeren om proxy databasegegevens te lezen en te wijzigen. Dit kan leiden tot het compromitteren van credentials en verdere ongeautoriseerde toegang tot het systeem. De tweede kwetsbaarheid betreft twee preview endpoints in de MCP server feature die volledige serverconfiguraties accepteren. Elke geauthenticeerde gebruiker met een geldige proxy API key kan hiermee willekeurige commando's uitvoeren op de proxy host, zonder dat hiervoor administratieve rechten vereist zijn. Deze kwetsbaarheid maakt ongeautoriseerde command execution mogelijk.
Oplossingen: BerriAI heeft versie 1.83.7 van LiteLLM uitgebracht waarin beide kwetsbaarheden zijn verholpen. De SQL-injectie is opgelost en de toegang tot de preview endpoints is beperkt tot gebruikers met de PROXY_ADMIN rol. Zie bijgevoegde referenties voor meer informatie.
Kans: medium
Schade: high
CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
LiteLLM versions prior to 1.83.7 contain a critical SQL injection vulnerability in proxy API key verification that allows unauthenticated attackers to read and modify database data, risking unauthorized access and credential compromise.
9.8 (Critical)
Affected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
BerriAI / LiteLLM
|
vers:unknown/* |
LiteLLM versions 1.74.2 to before 1.83.7 had two preview endpoints allowing authenticated users with a proxy API key to execute arbitrary commands on the host, fixed by requiring the PROXY_ADMIN role in version 1.83.7.
8.8 (High)
Affected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
BerriAI / LiteLLM
|
vers:unknown/* |
References
4 references
{
"document": {
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE"
}
},
"lang": "nl",
"notes": [
{
"category": "legal_disclaimer",
"text": "The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this page to enhance access to its information and security advisories. The use of this security advisory is subject to the following terms and conditions:\n\n NCSC-NL makes every reasonable effort to ensure that the content of this page is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or continuous keeping up-to-date. The information contained in this security advisory is intended solely for the purpose of providing general information to professional users. No rights can be derived from the information provided therein.\n\n NCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of this security advisory. This includes damage resulting from the inaccuracy of incompleteness of the information contained in the advisory.\n This security advisory is subject to Dutch law. All disputes related to or arising from the use of this advisory will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings."
},
{
"category": "description",
"text": "BerriAI heeft kwetsbaarheden verholpen in LiteLLM, specifiek in versies 1.74.2 tot en met 1.83.6.",
"title": "Feiten"
},
{
"category": "description",
"text": "LiteLLM is een veelgebruikte proxy om op gecentraliseerde wijze API\u0027s naar een groot aantal LLM systemen te beheren.\n\nDe eerste kwetsbaarheid betreft een SQL-injectie in het proxy API key verificatiemechanisme, waardoor niet-geauthenticeerde aanvallers SQL-injectieaanvallen kunnen uitvoeren om proxy databasegegevens te lezen en te wijzigen. Dit kan leiden tot het compromitteren van credentials en verdere ongeautoriseerde toegang tot het systeem. De tweede kwetsbaarheid betreft twee preview endpoints in de MCP server feature die volledige serverconfiguraties accepteren. Elke geauthenticeerde gebruiker met een geldige proxy API key kan hiermee willekeurige commando\u0027s uitvoeren op de proxy host, zonder dat hiervoor administratieve rechten vereist zijn. Deze kwetsbaarheid maakt ongeautoriseerde command execution mogelijk.",
"title": "Interpretaties"
},
{
"category": "description",
"text": "BerriAI heeft versie 1.83.7 van LiteLLM uitgebracht waarin beide kwetsbaarheden zijn verholpen. De SQL-injectie is opgelost en de toegang tot de preview endpoints is beperkt tot gebruikers met de PROXY_ADMIN rol. Zie bijgevoegde referenties voor meer informatie.",
"title": "Oplossingen"
},
{
"category": "general",
"text": "medium",
"title": "Kans"
},
{
"category": "general",
"text": "high",
"title": "Schade"
},
{
"category": "general",
"text": "Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)",
"title": "CWE-77"
},
{
"category": "general",
"text": "Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"title": "CWE-78"
},
{
"category": "general",
"text": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"title": "CWE-89"
}
],
"publisher": {
"category": "coordinator",
"contact_details": "cert@ncsc.nl",
"name": "Nationaal Cyber Security Centrum",
"namespace": "https://www.ncsc.nl/"
},
"references": [
{
"category": "external",
"summary": "Reference",
"url": "https://github.com/BerriAI/litellm/security/advisories/GHSA-r75f-5x8p-qvmc"
},
{
"category": "external",
"summary": "Reference",
"url": "https://github.com/BerriAI/litellm/security/advisories/GHSA-v4p8-mg3p-g94g"
}
],
"title": "Kwetsbaarheden verholpen in LiteLLM door BerriAI",
"tracking": {
"current_release_date": "2026-05-11T06:38:59.274837Z",
"generator": {
"date": "2025-08-04T16:30:00Z",
"engine": {
"name": "V.A.",
"version": "1.3"
}
},
"id": "NCSC-2026-0137",
"initial_release_date": "2026-05-11T06:38:59.274837Z",
"revision_history": [
{
"date": "2026-05-11T06:38:59.274837Z",
"number": "1.0.0",
"summary": "Initiele versie"
}
],
"status": "final",
"version": "1.0.0"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "vers:unknown/*",
"product": {
"name": "vers:unknown/*",
"product_id": "CSAFPID-1"
}
}
],
"category": "product_name",
"name": "LiteLLM"
}
],
"category": "vendor",
"name": "BerriAI"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2026-42208",
"cwe": {
"id": "CWE-89",
"name": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)"
},
"notes": [
{
"category": "other",
"text": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"title": "CWE-89"
},
{
"category": "description",
"text": "LiteLLM versions prior to 1.83.7 contain a critical SQL injection vulnerability in proxy API key verification that allows unauthenticated attackers to read and modify database data, risking unauthorized access and credential compromise.",
"title": "Summary"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2026-42208 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2026/cve-2026-42208.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-1"
]
}
],
"title": "CVE-2026-42208"
},
{
"cve": "CVE-2026-42271",
"cwe": {
"id": "CWE-78",
"name": "Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)"
},
"notes": [
{
"category": "other",
"text": "Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"title": "CWE-78"
},
{
"category": "other",
"text": "Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)",
"title": "CWE-77"
},
{
"category": "description",
"text": "LiteLLM versions 1.74.2 to before 1.83.7 had two preview endpoints allowing authenticated users with a proxy API key to execute arbitrary commands on the host, fixed by requiring the PROXY_ADMIN role in version 1.83.7.",
"title": "Summary"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2026-42271 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2026/cve-2026-42271.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-1"
]
}
],
"title": "CVE-2026-42271"
}
]
}
RHSA-2026:27784
Vulnerability from csaf_redhat - Published: 2026-06-22 05:11 - Updated: 2026-06-24 15:36Summary
Red Hat Security Advisory: RHOAI 3.4.1 - Red Hat OpenShift AI
Severity
Important
Notes
Topic: Updated images are now available for Red Hat OpenShift AI.
Details: Release of RHOAI 3.4.1 provides these changes:
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A flaw was found in LiteLLM, a proxy server (AI Gateway) for Large Language Model (LLM) APIs. Two endpoints, used for previewing an MCP server before saving it, accepted a full server configuration including command execution parameters. An authenticated user, even with low-privilege internal-user keys, could exploit this by sending a crafted configuration. This allows for arbitrary command execution on the proxy host with the privileges of the proxy process.
8.8 (High)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat OpenShift AI 3.4:registry.redhat.io/rhoai/odh-trustyai-garak-lls-provider-dsp-rhel9@sha256:1c962bba45e5cddaadd8ceff241417f9c3686aba1df8b6b511caf5a9901f2c40_amd64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: Red Hat OpenShift AI 3.4:registry.redhat.io/rhoai/odh-trustyai-garak-lls-provider-dsp-rhel9@sha256:1d6d4da4451688faa350b05558ed601e5c498b2382923f1bf45fc41958b098f6_s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: Red Hat OpenShift AI 3.4:registry.redhat.io/rhoai/odh-trustyai-garak-lls-provider-dsp-rhel9@sha256:305bf281a63bff13b96466fb7adfd0962ac28e92d649ad692a86eb10db89a1a0_arm64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: Red Hat OpenShift AI 3.4:registry.redhat.io/rhoai/odh-trustyai-garak-lls-provider-dsp-rhel9@sha256:5149bc20e5d0a9e281ca3330d000d613b5987f46996e771067532af0fe3e0fb8_ppc64le | — |
Vendor Fix
fix
|
Known not affected
5 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat OpenShift AI 3.4:registry.redhat.io/rhoai/odh-operator-bundle@sha256:0efd1bb73b277b4cdca47bcb424679de6fd094d04e73e7a3ed0c470e8040b440_amd64 | — | ||
| Unresolved product id: Red Hat OpenShift AI 3.4:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:4b8e9cda02c30b95aa6e483dd9f90b2e27b9093212c6c3d956be8da3dd00dd16_s390x | — | ||
| Unresolved product id: Red Hat OpenShift AI 3.4:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:72648350ddd7a3401542e90f923df38adb4ee75ded438dade1bc472566f474dc_ppc64le | — | ||
| Unresolved product id: Red Hat OpenShift AI 3.4:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:76341c99cdb9a4321a37a58b1757ed0327bcf8d3adfa5688109f138a16b5ef04_amd64 | — | ||
| Unresolved product id: Red Hat OpenShift AI 3.4:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:cc6f060d37c92ea68c955e637e6291863272c1992ba86bc872989c4b566fc8bf_arm64 | — |
Threats
Exploit Status
CISA: https://www.cisa.gov/known-exploited-vulnerabilities-catalog
Impact
Important
References
12 references
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Updated images are now available for Red Hat OpenShift AI.",
"title": "Topic"
},
{
"category": "general",
"text": "Release of RHOAI 3.4.1 provides these changes:",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2026:27784",
"url": "https://access.redhat.com/errata/RHSA-2026:27784"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-42271",
"url": "https://access.redhat.com/security/cve/CVE-2026-42271"
},
{
"category": "external",
"summary": "https://docs.redhat.com/en/documentation/red_hat_openshift_ai/",
"url": "https://docs.redhat.com/en/documentation/red_hat_openshift_ai/"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/",
"url": "https://access.redhat.com/security/updates/classification/"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_27784.json"
}
],
"title": "Red Hat Security Advisory: RHOAI 3.4.1 - Red Hat OpenShift AI",
"tracking": {
"current_release_date": "2026-06-24T15:36:57+00:00",
"generator": {
"date": "2026-06-24T15:36:57+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "5.0.0"
}
},
"id": "RHSA-2026:27784",
"initial_release_date": "2026-06-22T05:11:35+00:00",
"revision_history": [
{
"date": "2026-06-22T05:11:35+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2026-06-22T07:18:24+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-06-24T15:36:57+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat OpenShift AI 3.4",
"product": {
"name": "Red Hat OpenShift AI 3.4",
"product_id": "Red Hat OpenShift AI 3.4",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:openshift_ai:3.4::el9"
}
}
}
],
"category": "product_family",
"name": "Red Hat OpenShift AI"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/rhoai/odh-operator-bundle@sha256:0efd1bb73b277b4cdca47bcb424679de6fd094d04e73e7a3ed0c470e8040b440_amd64",
"product": {
"name": "registry.redhat.io/rhoai/odh-operator-bundle@sha256:0efd1bb73b277b4cdca47bcb424679de6fd094d04e73e7a3ed0c470e8040b440_amd64",
"product_id": "registry.redhat.io/rhoai/odh-operator-bundle@sha256:0efd1bb73b277b4cdca47bcb424679de6fd094d04e73e7a3ed0c470e8040b440_amd64",
"product_identification_helper": {
"purl": "pkg:oci/odh-operator-bundle@sha256%3A0efd1bb73b277b4cdca47bcb424679de6fd094d04e73e7a3ed0c470e8040b440?arch=amd64\u0026repository_url=registry.redhat.io/rhoai/odh-operator-bundle\u0026tag=1781682120"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/rhoai/odh-rhel9-operator@sha256:76341c99cdb9a4321a37a58b1757ed0327bcf8d3adfa5688109f138a16b5ef04_amd64",
"product": {
"name": "registry.redhat.io/rhoai/odh-rhel9-operator@sha256:76341c99cdb9a4321a37a58b1757ed0327bcf8d3adfa5688109f138a16b5ef04_amd64",
"product_id": "registry.redhat.io/rhoai/odh-rhel9-operator@sha256:76341c99cdb9a4321a37a58b1757ed0327bcf8d3adfa5688109f138a16b5ef04_amd64",
"product_identification_helper": {
"purl": "pkg:oci/odh-rhel9-operator@sha256%3A76341c99cdb9a4321a37a58b1757ed0327bcf8d3adfa5688109f138a16b5ef04?arch=amd64\u0026repository_url=registry.redhat.io/rhoai/odh-rhel9-operator\u0026tag=1781681524"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/rhoai/odh-trustyai-garak-lls-provider-dsp-rhel9@sha256:1c962bba45e5cddaadd8ceff241417f9c3686aba1df8b6b511caf5a9901f2c40_amd64",
"product": {
"name": "registry.redhat.io/rhoai/odh-trustyai-garak-lls-provider-dsp-rhel9@sha256:1c962bba45e5cddaadd8ceff241417f9c3686aba1df8b6b511caf5a9901f2c40_amd64",
"product_id": "registry.redhat.io/rhoai/odh-trustyai-garak-lls-provider-dsp-rhel9@sha256:1c962bba45e5cddaadd8ceff241417f9c3686aba1df8b6b511caf5a9901f2c40_amd64",
"product_identification_helper": {
"purl": "pkg:oci/odh-trustyai-garak-lls-provider-dsp-rhel9@sha256%3A1c962bba45e5cddaadd8ceff241417f9c3686aba1df8b6b511caf5a9901f2c40?arch=amd64\u0026repository_url=registry.redhat.io/rhoai/odh-trustyai-garak-lls-provider-dsp-rhel9\u0026tag=1781622627"
}
}
}
],
"category": "architecture",
"name": "amd64"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/rhoai/odh-rhel9-operator@sha256:72648350ddd7a3401542e90f923df38adb4ee75ded438dade1bc472566f474dc_ppc64le",
"product": {
"name": "registry.redhat.io/rhoai/odh-rhel9-operator@sha256:72648350ddd7a3401542e90f923df38adb4ee75ded438dade1bc472566f474dc_ppc64le",
"product_id": "registry.redhat.io/rhoai/odh-rhel9-operator@sha256:72648350ddd7a3401542e90f923df38adb4ee75ded438dade1bc472566f474dc_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/odh-rhel9-operator@sha256%3A72648350ddd7a3401542e90f923df38adb4ee75ded438dade1bc472566f474dc?arch=ppc64le\u0026repository_url=registry.redhat.io/rhoai/odh-rhel9-operator\u0026tag=1781681524"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/rhoai/odh-trustyai-garak-lls-provider-dsp-rhel9@sha256:5149bc20e5d0a9e281ca3330d000d613b5987f46996e771067532af0fe3e0fb8_ppc64le",
"product": {
"name": "registry.redhat.io/rhoai/odh-trustyai-garak-lls-provider-dsp-rhel9@sha256:5149bc20e5d0a9e281ca3330d000d613b5987f46996e771067532af0fe3e0fb8_ppc64le",
"product_id": "registry.redhat.io/rhoai/odh-trustyai-garak-lls-provider-dsp-rhel9@sha256:5149bc20e5d0a9e281ca3330d000d613b5987f46996e771067532af0fe3e0fb8_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/odh-trustyai-garak-lls-provider-dsp-rhel9@sha256%3A5149bc20e5d0a9e281ca3330d000d613b5987f46996e771067532af0fe3e0fb8?arch=ppc64le\u0026repository_url=registry.redhat.io/rhoai/odh-trustyai-garak-lls-provider-dsp-rhel9\u0026tag=1781622627"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/rhoai/odh-rhel9-operator@sha256:4b8e9cda02c30b95aa6e483dd9f90b2e27b9093212c6c3d956be8da3dd00dd16_s390x",
"product": {
"name": "registry.redhat.io/rhoai/odh-rhel9-operator@sha256:4b8e9cda02c30b95aa6e483dd9f90b2e27b9093212c6c3d956be8da3dd00dd16_s390x",
"product_id": "registry.redhat.io/rhoai/odh-rhel9-operator@sha256:4b8e9cda02c30b95aa6e483dd9f90b2e27b9093212c6c3d956be8da3dd00dd16_s390x",
"product_identification_helper": {
"purl": "pkg:oci/odh-rhel9-operator@sha256%3A4b8e9cda02c30b95aa6e483dd9f90b2e27b9093212c6c3d956be8da3dd00dd16?arch=s390x\u0026repository_url=registry.redhat.io/rhoai/odh-rhel9-operator\u0026tag=1781681524"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/rhoai/odh-trustyai-garak-lls-provider-dsp-rhel9@sha256:1d6d4da4451688faa350b05558ed601e5c498b2382923f1bf45fc41958b098f6_s390x",
"product": {
"name": "registry.redhat.io/rhoai/odh-trustyai-garak-lls-provider-dsp-rhel9@sha256:1d6d4da4451688faa350b05558ed601e5c498b2382923f1bf45fc41958b098f6_s390x",
"product_id": "registry.redhat.io/rhoai/odh-trustyai-garak-lls-provider-dsp-rhel9@sha256:1d6d4da4451688faa350b05558ed601e5c498b2382923f1bf45fc41958b098f6_s390x",
"product_identification_helper": {
"purl": "pkg:oci/odh-trustyai-garak-lls-provider-dsp-rhel9@sha256%3A1d6d4da4451688faa350b05558ed601e5c498b2382923f1bf45fc41958b098f6?arch=s390x\u0026repository_url=registry.redhat.io/rhoai/odh-trustyai-garak-lls-provider-dsp-rhel9\u0026tag=1781622627"
}
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/rhoai/odh-rhel9-operator@sha256:cc6f060d37c92ea68c955e637e6291863272c1992ba86bc872989c4b566fc8bf_arm64",
"product": {
"name": "registry.redhat.io/rhoai/odh-rhel9-operator@sha256:cc6f060d37c92ea68c955e637e6291863272c1992ba86bc872989c4b566fc8bf_arm64",
"product_id": "registry.redhat.io/rhoai/odh-rhel9-operator@sha256:cc6f060d37c92ea68c955e637e6291863272c1992ba86bc872989c4b566fc8bf_arm64",
"product_identification_helper": {
"purl": "pkg:oci/odh-rhel9-operator@sha256%3Acc6f060d37c92ea68c955e637e6291863272c1992ba86bc872989c4b566fc8bf?arch=arm64\u0026repository_url=registry.redhat.io/rhoai/odh-rhel9-operator\u0026tag=1781681524"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/rhoai/odh-trustyai-garak-lls-provider-dsp-rhel9@sha256:305bf281a63bff13b96466fb7adfd0962ac28e92d649ad692a86eb10db89a1a0_arm64",
"product": {
"name": "registry.redhat.io/rhoai/odh-trustyai-garak-lls-provider-dsp-rhel9@sha256:305bf281a63bff13b96466fb7adfd0962ac28e92d649ad692a86eb10db89a1a0_arm64",
"product_id": "registry.redhat.io/rhoai/odh-trustyai-garak-lls-provider-dsp-rhel9@sha256:305bf281a63bff13b96466fb7adfd0962ac28e92d649ad692a86eb10db89a1a0_arm64",
"product_identification_helper": {
"purl": "pkg:oci/odh-trustyai-garak-lls-provider-dsp-rhel9@sha256%3A305bf281a63bff13b96466fb7adfd0962ac28e92d649ad692a86eb10db89a1a0?arch=arm64\u0026repository_url=registry.redhat.io/rhoai/odh-trustyai-garak-lls-provider-dsp-rhel9\u0026tag=1781622627"
}
}
}
],
"category": "architecture",
"name": "arm64"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/rhoai/odh-operator-bundle@sha256:0efd1bb73b277b4cdca47bcb424679de6fd094d04e73e7a3ed0c470e8040b440_amd64 as a component of Red Hat OpenShift AI 3.4",
"product_id": "Red Hat OpenShift AI 3.4:registry.redhat.io/rhoai/odh-operator-bundle@sha256:0efd1bb73b277b4cdca47bcb424679de6fd094d04e73e7a3ed0c470e8040b440_amd64"
},
"product_reference": "registry.redhat.io/rhoai/odh-operator-bundle@sha256:0efd1bb73b277b4cdca47bcb424679de6fd094d04e73e7a3ed0c470e8040b440_amd64",
"relates_to_product_reference": "Red Hat OpenShift AI 3.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/rhoai/odh-rhel9-operator@sha256:4b8e9cda02c30b95aa6e483dd9f90b2e27b9093212c6c3d956be8da3dd00dd16_s390x as a component of Red Hat OpenShift AI 3.4",
"product_id": "Red Hat OpenShift AI 3.4:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:4b8e9cda02c30b95aa6e483dd9f90b2e27b9093212c6c3d956be8da3dd00dd16_s390x"
},
"product_reference": "registry.redhat.io/rhoai/odh-rhel9-operator@sha256:4b8e9cda02c30b95aa6e483dd9f90b2e27b9093212c6c3d956be8da3dd00dd16_s390x",
"relates_to_product_reference": "Red Hat OpenShift AI 3.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/rhoai/odh-rhel9-operator@sha256:72648350ddd7a3401542e90f923df38adb4ee75ded438dade1bc472566f474dc_ppc64le as a component of Red Hat OpenShift AI 3.4",
"product_id": "Red Hat OpenShift AI 3.4:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:72648350ddd7a3401542e90f923df38adb4ee75ded438dade1bc472566f474dc_ppc64le"
},
"product_reference": "registry.redhat.io/rhoai/odh-rhel9-operator@sha256:72648350ddd7a3401542e90f923df38adb4ee75ded438dade1bc472566f474dc_ppc64le",
"relates_to_product_reference": "Red Hat OpenShift AI 3.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/rhoai/odh-rhel9-operator@sha256:76341c99cdb9a4321a37a58b1757ed0327bcf8d3adfa5688109f138a16b5ef04_amd64 as a component of Red Hat OpenShift AI 3.4",
"product_id": "Red Hat OpenShift AI 3.4:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:76341c99cdb9a4321a37a58b1757ed0327bcf8d3adfa5688109f138a16b5ef04_amd64"
},
"product_reference": "registry.redhat.io/rhoai/odh-rhel9-operator@sha256:76341c99cdb9a4321a37a58b1757ed0327bcf8d3adfa5688109f138a16b5ef04_amd64",
"relates_to_product_reference": "Red Hat OpenShift AI 3.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/rhoai/odh-rhel9-operator@sha256:cc6f060d37c92ea68c955e637e6291863272c1992ba86bc872989c4b566fc8bf_arm64 as a component of Red Hat OpenShift AI 3.4",
"product_id": "Red Hat OpenShift AI 3.4:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:cc6f060d37c92ea68c955e637e6291863272c1992ba86bc872989c4b566fc8bf_arm64"
},
"product_reference": "registry.redhat.io/rhoai/odh-rhel9-operator@sha256:cc6f060d37c92ea68c955e637e6291863272c1992ba86bc872989c4b566fc8bf_arm64",
"relates_to_product_reference": "Red Hat OpenShift AI 3.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/rhoai/odh-trustyai-garak-lls-provider-dsp-rhel9@sha256:1c962bba45e5cddaadd8ceff241417f9c3686aba1df8b6b511caf5a9901f2c40_amd64 as a component of Red Hat OpenShift AI 3.4",
"product_id": "Red Hat OpenShift AI 3.4:registry.redhat.io/rhoai/odh-trustyai-garak-lls-provider-dsp-rhel9@sha256:1c962bba45e5cddaadd8ceff241417f9c3686aba1df8b6b511caf5a9901f2c40_amd64"
},
"product_reference": "registry.redhat.io/rhoai/odh-trustyai-garak-lls-provider-dsp-rhel9@sha256:1c962bba45e5cddaadd8ceff241417f9c3686aba1df8b6b511caf5a9901f2c40_amd64",
"relates_to_product_reference": "Red Hat OpenShift AI 3.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/rhoai/odh-trustyai-garak-lls-provider-dsp-rhel9@sha256:1d6d4da4451688faa350b05558ed601e5c498b2382923f1bf45fc41958b098f6_s390x as a component of Red Hat OpenShift AI 3.4",
"product_id": "Red Hat OpenShift AI 3.4:registry.redhat.io/rhoai/odh-trustyai-garak-lls-provider-dsp-rhel9@sha256:1d6d4da4451688faa350b05558ed601e5c498b2382923f1bf45fc41958b098f6_s390x"
},
"product_reference": "registry.redhat.io/rhoai/odh-trustyai-garak-lls-provider-dsp-rhel9@sha256:1d6d4da4451688faa350b05558ed601e5c498b2382923f1bf45fc41958b098f6_s390x",
"relates_to_product_reference": "Red Hat OpenShift AI 3.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/rhoai/odh-trustyai-garak-lls-provider-dsp-rhel9@sha256:305bf281a63bff13b96466fb7adfd0962ac28e92d649ad692a86eb10db89a1a0_arm64 as a component of Red Hat OpenShift AI 3.4",
"product_id": "Red Hat OpenShift AI 3.4:registry.redhat.io/rhoai/odh-trustyai-garak-lls-provider-dsp-rhel9@sha256:305bf281a63bff13b96466fb7adfd0962ac28e92d649ad692a86eb10db89a1a0_arm64"
},
"product_reference": "registry.redhat.io/rhoai/odh-trustyai-garak-lls-provider-dsp-rhel9@sha256:305bf281a63bff13b96466fb7adfd0962ac28e92d649ad692a86eb10db89a1a0_arm64",
"relates_to_product_reference": "Red Hat OpenShift AI 3.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/rhoai/odh-trustyai-garak-lls-provider-dsp-rhel9@sha256:5149bc20e5d0a9e281ca3330d000d613b5987f46996e771067532af0fe3e0fb8_ppc64le as a component of Red Hat OpenShift AI 3.4",
"product_id": "Red Hat OpenShift AI 3.4:registry.redhat.io/rhoai/odh-trustyai-garak-lls-provider-dsp-rhel9@sha256:5149bc20e5d0a9e281ca3330d000d613b5987f46996e771067532af0fe3e0fb8_ppc64le"
},
"product_reference": "registry.redhat.io/rhoai/odh-trustyai-garak-lls-provider-dsp-rhel9@sha256:5149bc20e5d0a9e281ca3330d000d613b5987f46996e771067532af0fe3e0fb8_ppc64le",
"relates_to_product_reference": "Red Hat OpenShift AI 3.4"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2026-42271",
"cwe": {
"id": "CWE-78",
"name": "Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)"
},
"discovery_date": "2026-05-08T04:02:12.169174+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"Red Hat OpenShift AI 3.4:registry.redhat.io/rhoai/odh-operator-bundle@sha256:0efd1bb73b277b4cdca47bcb424679de6fd094d04e73e7a3ed0c470e8040b440_amd64",
"Red Hat OpenShift AI 3.4:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:4b8e9cda02c30b95aa6e483dd9f90b2e27b9093212c6c3d956be8da3dd00dd16_s390x",
"Red Hat OpenShift AI 3.4:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:72648350ddd7a3401542e90f923df38adb4ee75ded438dade1bc472566f474dc_ppc64le",
"Red Hat OpenShift AI 3.4:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:76341c99cdb9a4321a37a58b1757ed0327bcf8d3adfa5688109f138a16b5ef04_amd64",
"Red Hat OpenShift AI 3.4:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:cc6f060d37c92ea68c955e637e6291863272c1992ba86bc872989c4b566fc8bf_arm64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2467924"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in LiteLLM, a proxy server (AI Gateway) for Large Language Model (LLM) APIs. Two endpoints, used for previewing an MCP server before saving it, accepted a full server configuration including command execution parameters. An authenticated user, even with low-privilege internal-user keys, could exploit this by sending a crafted configuration. This allows for arbitrary command execution on the proxy host with the privileges of the proxy process.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "litellm: LiteLLM: Authenticated command execution via MCP stdio test endpoints",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This is an Important flaw affecting LiteLLM, as deployed in Red Hat products like Ansible Automation Platform and OpenShift AI. Authenticated users, even with low-privilege API keys, can execute arbitrary commands on the proxy host. This is due to insufficient role checks on specific endpoints that accept server configurations with command execution parameters.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat OpenShift AI 3.4:registry.redhat.io/rhoai/odh-trustyai-garak-lls-provider-dsp-rhel9@sha256:1c962bba45e5cddaadd8ceff241417f9c3686aba1df8b6b511caf5a9901f2c40_amd64",
"Red Hat OpenShift AI 3.4:registry.redhat.io/rhoai/odh-trustyai-garak-lls-provider-dsp-rhel9@sha256:1d6d4da4451688faa350b05558ed601e5c498b2382923f1bf45fc41958b098f6_s390x",
"Red Hat OpenShift AI 3.4:registry.redhat.io/rhoai/odh-trustyai-garak-lls-provider-dsp-rhel9@sha256:305bf281a63bff13b96466fb7adfd0962ac28e92d649ad692a86eb10db89a1a0_arm64",
"Red Hat OpenShift AI 3.4:registry.redhat.io/rhoai/odh-trustyai-garak-lls-provider-dsp-rhel9@sha256:5149bc20e5d0a9e281ca3330d000d613b5987f46996e771067532af0fe3e0fb8_ppc64le"
],
"known_not_affected": [
"Red Hat OpenShift AI 3.4:registry.redhat.io/rhoai/odh-operator-bundle@sha256:0efd1bb73b277b4cdca47bcb424679de6fd094d04e73e7a3ed0c470e8040b440_amd64",
"Red Hat OpenShift AI 3.4:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:4b8e9cda02c30b95aa6e483dd9f90b2e27b9093212c6c3d956be8da3dd00dd16_s390x",
"Red Hat OpenShift AI 3.4:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:72648350ddd7a3401542e90f923df38adb4ee75ded438dade1bc472566f474dc_ppc64le",
"Red Hat OpenShift AI 3.4:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:76341c99cdb9a4321a37a58b1757ed0327bcf8d3adfa5688109f138a16b5ef04_amd64",
"Red Hat OpenShift AI 3.4:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:cc6f060d37c92ea68c955e637e6291863272c1992ba86bc872989c4b566fc8bf_arm64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-42271"
},
{
"category": "external",
"summary": "RHBZ#2467924",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2467924"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-42271",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-42271"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-42271",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42271"
},
{
"category": "external",
"summary": "https://github.com/BerriAI/litellm/releases/tag/v1.83.7-stable",
"url": "https://github.com/BerriAI/litellm/releases/tag/v1.83.7-stable"
},
{
"category": "external",
"summary": "https://github.com/BerriAI/litellm/security/advisories/GHSA-v4p8-mg3p-g94g",
"url": "https://github.com/BerriAI/litellm/security/advisories/GHSA-v4p8-mg3p-g94g"
},
{
"category": "external",
"summary": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog"
}
],
"release_date": "2026-05-08T03:35:16.758000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-22T05:11:35+00:00",
"details": "For Red Hat OpenShift AI 3.4.1 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this errata update:\n\nhttps://docs.redhat.com/en/documentation/red_hat_openshift_ai/",
"product_ids": [
"Red Hat OpenShift AI 3.4:registry.redhat.io/rhoai/odh-trustyai-garak-lls-provider-dsp-rhel9@sha256:1c962bba45e5cddaadd8ceff241417f9c3686aba1df8b6b511caf5a9901f2c40_amd64",
"Red Hat OpenShift AI 3.4:registry.redhat.io/rhoai/odh-trustyai-garak-lls-provider-dsp-rhel9@sha256:1d6d4da4451688faa350b05558ed601e5c498b2382923f1bf45fc41958b098f6_s390x",
"Red Hat OpenShift AI 3.4:registry.redhat.io/rhoai/odh-trustyai-garak-lls-provider-dsp-rhel9@sha256:305bf281a63bff13b96466fb7adfd0962ac28e92d649ad692a86eb10db89a1a0_arm64",
"Red Hat OpenShift AI 3.4:registry.redhat.io/rhoai/odh-trustyai-garak-lls-provider-dsp-rhel9@sha256:5149bc20e5d0a9e281ca3330d000d613b5987f46996e771067532af0fe3e0fb8_ppc64le"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:27784"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"Red Hat OpenShift AI 3.4:registry.redhat.io/rhoai/odh-operator-bundle@sha256:0efd1bb73b277b4cdca47bcb424679de6fd094d04e73e7a3ed0c470e8040b440_amd64",
"Red Hat OpenShift AI 3.4:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:4b8e9cda02c30b95aa6e483dd9f90b2e27b9093212c6c3d956be8da3dd00dd16_s390x",
"Red Hat OpenShift AI 3.4:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:72648350ddd7a3401542e90f923df38adb4ee75ded438dade1bc472566f474dc_ppc64le",
"Red Hat OpenShift AI 3.4:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:76341c99cdb9a4321a37a58b1757ed0327bcf8d3adfa5688109f138a16b5ef04_amd64",
"Red Hat OpenShift AI 3.4:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:cc6f060d37c92ea68c955e637e6291863272c1992ba86bc872989c4b566fc8bf_arm64",
"Red Hat OpenShift AI 3.4:registry.redhat.io/rhoai/odh-trustyai-garak-lls-provider-dsp-rhel9@sha256:1c962bba45e5cddaadd8ceff241417f9c3686aba1df8b6b511caf5a9901f2c40_amd64",
"Red Hat OpenShift AI 3.4:registry.redhat.io/rhoai/odh-trustyai-garak-lls-provider-dsp-rhel9@sha256:1d6d4da4451688faa350b05558ed601e5c498b2382923f1bf45fc41958b098f6_s390x",
"Red Hat OpenShift AI 3.4:registry.redhat.io/rhoai/odh-trustyai-garak-lls-provider-dsp-rhel9@sha256:305bf281a63bff13b96466fb7adfd0962ac28e92d649ad692a86eb10db89a1a0_arm64",
"Red Hat OpenShift AI 3.4:registry.redhat.io/rhoai/odh-trustyai-garak-lls-provider-dsp-rhel9@sha256:5149bc20e5d0a9e281ca3330d000d613b5987f46996e771067532af0fe3e0fb8_ppc64le"
]
}
],
"threats": [
{
"category": "exploit_status",
"date": "2026-06-08T00:00:00+00:00",
"details": "CISA: https://www.cisa.gov/known-exploited-vulnerabilities-catalog"
},
{
"category": "impact",
"details": "Important"
}
],
"title": "litellm: LiteLLM: Authenticated command execution via MCP stdio test endpoints"
}
]
}
RHSA-2026:28960
Vulnerability from csaf_redhat - Published: 2026-06-24 10:50 - Updated: 2026-06-24 15:36Summary
Red Hat Security Advisory: RHOAI 2.25.8 - Red Hat OpenShift AI
Severity
Important
Notes
Topic: Updated images are now available for Red Hat OpenShift AI.
Details: Release of RHOAI 2.25.8 provides these changes:
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A flaw was found in LiteLLM, an AI Gateway proxy server. An authenticated user can exploit a missing authorization check on the `/config/update` endpoint. This allows the user to modify proxy configurations and environment variables, leading to remote code execution by registering custom endpoint handlers. Additionally, this vulnerability enables unauthorized reading of server files and potential takeover of privileged accounts through environment variable manipulation.
8.8 (High)
Affected products
Fixed
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat OpenShift AI 2.25:registry.redhat.io/rhoai/odh-llama-stack-core-rhel9@sha256:59a4a3dc01e258bdd6aa463c8dbb34e14bd1a8357ef6ae3d4ea9e6c8ce062353_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift AI 2.25:registry.redhat.io/rhoai/odh-llama-stack-core-rhel9@sha256:66cc80e961fe991b063dc51467fa901dce3fb2afc383afed1c596ec432363022_amd64 | — |
Vendor Fix
fix
Workaround
|
Known not affected
5 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat OpenShift AI 2.25:registry.redhat.io/rhoai/odh-operator-bundle@sha256:c0d7ed557a77e880b7d78eb3a87a05cadaf8711eea4e024fece782f5a68edebe_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift AI 2.25:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:1fc8714e90d4b7a9ca8e6d9360f692fee9a764d6e556d5241886dbf116df8902_arm64 | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift AI 2.25:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:227cecaf494ed3999aee9743b93371bd11eebce31538d34bea239133f473e3dd_s390x | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift AI 2.25:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:5d74f4badc192e18e4cf8027a2091cf5148f1426e0542bc5d7a5ecaf6dd9cf87_ppc64le | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift AI 2.25:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:a2362d90bb91fd360fdbfe760206da6a30024cca09b9839bdbfe0573a3e76ace_amd64 | — |
Workaround
|
Threats
Impact
Important
A flaw was found in LiteLLM, a proxy server for Large Language Model (LLM) APIs. When JSON Web Token (JWT) authentication is enabled, the OIDC user information cache uses a truncated portion of the token as a cache key. An unauthenticated attacker can exploit this by crafting a JWT with the same initial characters as a legitimate user's cached token. This allows the attacker to bypass authentication and inherit the legitimate user's identity and permissions, potentially leading to unauthorized access and privilege escalation.
9.1 (Critical)
Affected products
Fixed
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat OpenShift AI 2.25:registry.redhat.io/rhoai/odh-llama-stack-core-rhel9@sha256:59a4a3dc01e258bdd6aa463c8dbb34e14bd1a8357ef6ae3d4ea9e6c8ce062353_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift AI 2.25:registry.redhat.io/rhoai/odh-llama-stack-core-rhel9@sha256:66cc80e961fe991b063dc51467fa901dce3fb2afc383afed1c596ec432363022_amd64 | — |
Vendor Fix
fix
Workaround
|
Known not affected
5 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat OpenShift AI 2.25:registry.redhat.io/rhoai/odh-operator-bundle@sha256:c0d7ed557a77e880b7d78eb3a87a05cadaf8711eea4e024fece782f5a68edebe_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift AI 2.25:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:1fc8714e90d4b7a9ca8e6d9360f692fee9a764d6e556d5241886dbf116df8902_arm64 | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift AI 2.25:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:227cecaf494ed3999aee9743b93371bd11eebce31538d34bea239133f473e3dd_s390x | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift AI 2.25:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:5d74f4badc192e18e4cf8027a2091cf5148f1426e0542bc5d7a5ecaf6dd9cf87_ppc64le | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift AI 2.25:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:a2362d90bb91fd360fdbfe760206da6a30024cca09b9839bdbfe0573a3e76ace_amd64 | — |
Workaround
|
Threats
Impact
Important
A flaw was found in LiteLLM, a proxy server (AI Gateway) for Large Language Model (LLM) APIs. Two endpoints, used for previewing an MCP server before saving it, accepted a full server configuration including command execution parameters. An authenticated user, even with low-privilege internal-user keys, could exploit this by sending a crafted configuration. This allows for arbitrary command execution on the proxy host with the privileges of the proxy process.
8.8 (High)
Affected products
Fixed
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat OpenShift AI 2.25:registry.redhat.io/rhoai/odh-llama-stack-core-rhel9@sha256:59a4a3dc01e258bdd6aa463c8dbb34e14bd1a8357ef6ae3d4ea9e6c8ce062353_arm64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: Red Hat OpenShift AI 2.25:registry.redhat.io/rhoai/odh-llama-stack-core-rhel9@sha256:66cc80e961fe991b063dc51467fa901dce3fb2afc383afed1c596ec432363022_amd64 | — |
Vendor Fix
fix
|
Known not affected
5 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat OpenShift AI 2.25:registry.redhat.io/rhoai/odh-operator-bundle@sha256:c0d7ed557a77e880b7d78eb3a87a05cadaf8711eea4e024fece782f5a68edebe_amd64 | — | ||
| Unresolved product id: Red Hat OpenShift AI 2.25:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:1fc8714e90d4b7a9ca8e6d9360f692fee9a764d6e556d5241886dbf116df8902_arm64 | — | ||
| Unresolved product id: Red Hat OpenShift AI 2.25:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:227cecaf494ed3999aee9743b93371bd11eebce31538d34bea239133f473e3dd_s390x | — | ||
| Unresolved product id: Red Hat OpenShift AI 2.25:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:5d74f4badc192e18e4cf8027a2091cf5148f1426e0542bc5d7a5ecaf6dd9cf87_ppc64le | — | ||
| Unresolved product id: Red Hat OpenShift AI 2.25:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:a2362d90bb91fd360fdbfe760206da6a30024cca09b9839bdbfe0573a3e76ace_amd64 | — |
Threats
Exploit Status
CISA: https://www.cisa.gov/known-exploited-vulnerabilities-catalog
Impact
Important
References
24 references
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Updated images are now available for Red Hat OpenShift AI.",
"title": "Topic"
},
{
"category": "general",
"text": "Release of RHOAI 2.25.8 provides these changes:",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2026:28960",
"url": "https://access.redhat.com/errata/RHSA-2026:28960"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-35029",
"url": "https://access.redhat.com/security/cve/CVE-2026-35029"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-35030",
"url": "https://access.redhat.com/security/cve/CVE-2026-35030"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-42271",
"url": "https://access.redhat.com/security/cve/CVE-2026-42271"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/",
"url": "https://access.redhat.com/security/updates/classification/"
},
{
"category": "external",
"summary": "https://docs.redhat.com/en/documentation/red_hat_openshift_ai/",
"url": "https://docs.redhat.com/en/documentation/red_hat_openshift_ai/"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_28960.json"
}
],
"title": "Red Hat Security Advisory: RHOAI 2.25.8 - Red Hat OpenShift AI",
"tracking": {
"current_release_date": "2026-06-24T15:36:57+00:00",
"generator": {
"date": "2026-06-24T15:36:57+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "5.0.0"
}
},
"id": "RHSA-2026:28960",
"initial_release_date": "2026-06-24T10:50:48+00:00",
"revision_history": [
{
"date": "2026-06-24T10:50:48+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2026-06-24T10:50:55+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-06-24T15:36:57+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat OpenShift AI 2.25",
"product": {
"name": "Red Hat OpenShift AI 2.25",
"product_id": "Red Hat OpenShift AI 2.25",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:openshift_ai:2.25::el9"
}
}
}
],
"category": "product_family",
"name": "Red Hat OpenShift AI"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/rhoai/odh-llama-stack-core-rhel9@sha256:66cc80e961fe991b063dc51467fa901dce3fb2afc383afed1c596ec432363022_amd64",
"product": {
"name": "registry.redhat.io/rhoai/odh-llama-stack-core-rhel9@sha256:66cc80e961fe991b063dc51467fa901dce3fb2afc383afed1c596ec432363022_amd64",
"product_id": "registry.redhat.io/rhoai/odh-llama-stack-core-rhel9@sha256:66cc80e961fe991b063dc51467fa901dce3fb2afc383afed1c596ec432363022_amd64",
"product_identification_helper": {
"purl": "pkg:oci/odh-llama-stack-core-rhel9@sha256%3A66cc80e961fe991b063dc51467fa901dce3fb2afc383afed1c596ec432363022?arch=amd64\u0026repository_url=registry.redhat.io/rhoai/odh-llama-stack-core-rhel9\u0026tag=1781826406"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/rhoai/odh-operator-bundle@sha256:c0d7ed557a77e880b7d78eb3a87a05cadaf8711eea4e024fece782f5a68edebe_amd64",
"product": {
"name": "registry.redhat.io/rhoai/odh-operator-bundle@sha256:c0d7ed557a77e880b7d78eb3a87a05cadaf8711eea4e024fece782f5a68edebe_amd64",
"product_id": "registry.redhat.io/rhoai/odh-operator-bundle@sha256:c0d7ed557a77e880b7d78eb3a87a05cadaf8711eea4e024fece782f5a68edebe_amd64",
"product_identification_helper": {
"purl": "pkg:oci/odh-operator-bundle@sha256%3Ac0d7ed557a77e880b7d78eb3a87a05cadaf8711eea4e024fece782f5a68edebe?arch=amd64\u0026repository_url=registry.redhat.io/rhoai/odh-operator-bundle\u0026tag=1782131953"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/rhoai/odh-rhel9-operator@sha256:a2362d90bb91fd360fdbfe760206da6a30024cca09b9839bdbfe0573a3e76ace_amd64",
"product": {
"name": "registry.redhat.io/rhoai/odh-rhel9-operator@sha256:a2362d90bb91fd360fdbfe760206da6a30024cca09b9839bdbfe0573a3e76ace_amd64",
"product_id": "registry.redhat.io/rhoai/odh-rhel9-operator@sha256:a2362d90bb91fd360fdbfe760206da6a30024cca09b9839bdbfe0573a3e76ace_amd64",
"product_identification_helper": {
"purl": "pkg:oci/odh-rhel9-operator@sha256%3Aa2362d90bb91fd360fdbfe760206da6a30024cca09b9839bdbfe0573a3e76ace?arch=amd64\u0026repository_url=registry.redhat.io/rhoai/odh-rhel9-operator\u0026tag=1782131177"
}
}
}
],
"category": "architecture",
"name": "amd64"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/rhoai/odh-llama-stack-core-rhel9@sha256:59a4a3dc01e258bdd6aa463c8dbb34e14bd1a8357ef6ae3d4ea9e6c8ce062353_arm64",
"product": {
"name": "registry.redhat.io/rhoai/odh-llama-stack-core-rhel9@sha256:59a4a3dc01e258bdd6aa463c8dbb34e14bd1a8357ef6ae3d4ea9e6c8ce062353_arm64",
"product_id": "registry.redhat.io/rhoai/odh-llama-stack-core-rhel9@sha256:59a4a3dc01e258bdd6aa463c8dbb34e14bd1a8357ef6ae3d4ea9e6c8ce062353_arm64",
"product_identification_helper": {
"purl": "pkg:oci/odh-llama-stack-core-rhel9@sha256%3A59a4a3dc01e258bdd6aa463c8dbb34e14bd1a8357ef6ae3d4ea9e6c8ce062353?arch=arm64\u0026repository_url=registry.redhat.io/rhoai/odh-llama-stack-core-rhel9\u0026tag=1781826406"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/rhoai/odh-rhel9-operator@sha256:1fc8714e90d4b7a9ca8e6d9360f692fee9a764d6e556d5241886dbf116df8902_arm64",
"product": {
"name": "registry.redhat.io/rhoai/odh-rhel9-operator@sha256:1fc8714e90d4b7a9ca8e6d9360f692fee9a764d6e556d5241886dbf116df8902_arm64",
"product_id": "registry.redhat.io/rhoai/odh-rhel9-operator@sha256:1fc8714e90d4b7a9ca8e6d9360f692fee9a764d6e556d5241886dbf116df8902_arm64",
"product_identification_helper": {
"purl": "pkg:oci/odh-rhel9-operator@sha256%3A1fc8714e90d4b7a9ca8e6d9360f692fee9a764d6e556d5241886dbf116df8902?arch=arm64\u0026repository_url=registry.redhat.io/rhoai/odh-rhel9-operator\u0026tag=1782131177"
}
}
}
],
"category": "architecture",
"name": "arm64"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/rhoai/odh-rhel9-operator@sha256:5d74f4badc192e18e4cf8027a2091cf5148f1426e0542bc5d7a5ecaf6dd9cf87_ppc64le",
"product": {
"name": "registry.redhat.io/rhoai/odh-rhel9-operator@sha256:5d74f4badc192e18e4cf8027a2091cf5148f1426e0542bc5d7a5ecaf6dd9cf87_ppc64le",
"product_id": "registry.redhat.io/rhoai/odh-rhel9-operator@sha256:5d74f4badc192e18e4cf8027a2091cf5148f1426e0542bc5d7a5ecaf6dd9cf87_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/odh-rhel9-operator@sha256%3A5d74f4badc192e18e4cf8027a2091cf5148f1426e0542bc5d7a5ecaf6dd9cf87?arch=ppc64le\u0026repository_url=registry.redhat.io/rhoai/odh-rhel9-operator\u0026tag=1782131177"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/rhoai/odh-rhel9-operator@sha256:227cecaf494ed3999aee9743b93371bd11eebce31538d34bea239133f473e3dd_s390x",
"product": {
"name": "registry.redhat.io/rhoai/odh-rhel9-operator@sha256:227cecaf494ed3999aee9743b93371bd11eebce31538d34bea239133f473e3dd_s390x",
"product_id": "registry.redhat.io/rhoai/odh-rhel9-operator@sha256:227cecaf494ed3999aee9743b93371bd11eebce31538d34bea239133f473e3dd_s390x",
"product_identification_helper": {
"purl": "pkg:oci/odh-rhel9-operator@sha256%3A227cecaf494ed3999aee9743b93371bd11eebce31538d34bea239133f473e3dd?arch=s390x\u0026repository_url=registry.redhat.io/rhoai/odh-rhel9-operator\u0026tag=1782131177"
}
}
}
],
"category": "architecture",
"name": "s390x"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/rhoai/odh-llama-stack-core-rhel9@sha256:59a4a3dc01e258bdd6aa463c8dbb34e14bd1a8357ef6ae3d4ea9e6c8ce062353_arm64 as a component of Red Hat OpenShift AI 2.25",
"product_id": "Red Hat OpenShift AI 2.25:registry.redhat.io/rhoai/odh-llama-stack-core-rhel9@sha256:59a4a3dc01e258bdd6aa463c8dbb34e14bd1a8357ef6ae3d4ea9e6c8ce062353_arm64"
},
"product_reference": "registry.redhat.io/rhoai/odh-llama-stack-core-rhel9@sha256:59a4a3dc01e258bdd6aa463c8dbb34e14bd1a8357ef6ae3d4ea9e6c8ce062353_arm64",
"relates_to_product_reference": "Red Hat OpenShift AI 2.25"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/rhoai/odh-llama-stack-core-rhel9@sha256:66cc80e961fe991b063dc51467fa901dce3fb2afc383afed1c596ec432363022_amd64 as a component of Red Hat OpenShift AI 2.25",
"product_id": "Red Hat OpenShift AI 2.25:registry.redhat.io/rhoai/odh-llama-stack-core-rhel9@sha256:66cc80e961fe991b063dc51467fa901dce3fb2afc383afed1c596ec432363022_amd64"
},
"product_reference": "registry.redhat.io/rhoai/odh-llama-stack-core-rhel9@sha256:66cc80e961fe991b063dc51467fa901dce3fb2afc383afed1c596ec432363022_amd64",
"relates_to_product_reference": "Red Hat OpenShift AI 2.25"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/rhoai/odh-operator-bundle@sha256:c0d7ed557a77e880b7d78eb3a87a05cadaf8711eea4e024fece782f5a68edebe_amd64 as a component of Red Hat OpenShift AI 2.25",
"product_id": "Red Hat OpenShift AI 2.25:registry.redhat.io/rhoai/odh-operator-bundle@sha256:c0d7ed557a77e880b7d78eb3a87a05cadaf8711eea4e024fece782f5a68edebe_amd64"
},
"product_reference": "registry.redhat.io/rhoai/odh-operator-bundle@sha256:c0d7ed557a77e880b7d78eb3a87a05cadaf8711eea4e024fece782f5a68edebe_amd64",
"relates_to_product_reference": "Red Hat OpenShift AI 2.25"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/rhoai/odh-rhel9-operator@sha256:1fc8714e90d4b7a9ca8e6d9360f692fee9a764d6e556d5241886dbf116df8902_arm64 as a component of Red Hat OpenShift AI 2.25",
"product_id": "Red Hat OpenShift AI 2.25:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:1fc8714e90d4b7a9ca8e6d9360f692fee9a764d6e556d5241886dbf116df8902_arm64"
},
"product_reference": "registry.redhat.io/rhoai/odh-rhel9-operator@sha256:1fc8714e90d4b7a9ca8e6d9360f692fee9a764d6e556d5241886dbf116df8902_arm64",
"relates_to_product_reference": "Red Hat OpenShift AI 2.25"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/rhoai/odh-rhel9-operator@sha256:227cecaf494ed3999aee9743b93371bd11eebce31538d34bea239133f473e3dd_s390x as a component of Red Hat OpenShift AI 2.25",
"product_id": "Red Hat OpenShift AI 2.25:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:227cecaf494ed3999aee9743b93371bd11eebce31538d34bea239133f473e3dd_s390x"
},
"product_reference": "registry.redhat.io/rhoai/odh-rhel9-operator@sha256:227cecaf494ed3999aee9743b93371bd11eebce31538d34bea239133f473e3dd_s390x",
"relates_to_product_reference": "Red Hat OpenShift AI 2.25"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/rhoai/odh-rhel9-operator@sha256:5d74f4badc192e18e4cf8027a2091cf5148f1426e0542bc5d7a5ecaf6dd9cf87_ppc64le as a component of Red Hat OpenShift AI 2.25",
"product_id": "Red Hat OpenShift AI 2.25:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:5d74f4badc192e18e4cf8027a2091cf5148f1426e0542bc5d7a5ecaf6dd9cf87_ppc64le"
},
"product_reference": "registry.redhat.io/rhoai/odh-rhel9-operator@sha256:5d74f4badc192e18e4cf8027a2091cf5148f1426e0542bc5d7a5ecaf6dd9cf87_ppc64le",
"relates_to_product_reference": "Red Hat OpenShift AI 2.25"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/rhoai/odh-rhel9-operator@sha256:a2362d90bb91fd360fdbfe760206da6a30024cca09b9839bdbfe0573a3e76ace_amd64 as a component of Red Hat OpenShift AI 2.25",
"product_id": "Red Hat OpenShift AI 2.25:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:a2362d90bb91fd360fdbfe760206da6a30024cca09b9839bdbfe0573a3e76ace_amd64"
},
"product_reference": "registry.redhat.io/rhoai/odh-rhel9-operator@sha256:a2362d90bb91fd360fdbfe760206da6a30024cca09b9839bdbfe0573a3e76ace_amd64",
"relates_to_product_reference": "Red Hat OpenShift AI 2.25"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2026-35029",
"cwe": {
"id": "CWE-425",
"name": "Direct Request (\u0027Forced Browsing\u0027)"
},
"discovery_date": "2026-04-06T17:01:57.502231+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"Red Hat OpenShift AI 2.25:registry.redhat.io/rhoai/odh-operator-bundle@sha256:c0d7ed557a77e880b7d78eb3a87a05cadaf8711eea4e024fece782f5a68edebe_amd64",
"Red Hat OpenShift AI 2.25:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:1fc8714e90d4b7a9ca8e6d9360f692fee9a764d6e556d5241886dbf116df8902_arm64",
"Red Hat OpenShift AI 2.25:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:227cecaf494ed3999aee9743b93371bd11eebce31538d34bea239133f473e3dd_s390x",
"Red Hat OpenShift AI 2.25:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:5d74f4badc192e18e4cf8027a2091cf5148f1426e0542bc5d7a5ecaf6dd9cf87_ppc64le",
"Red Hat OpenShift AI 2.25:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:a2362d90bb91fd360fdbfe760206da6a30024cca09b9839bdbfe0573a3e76ace_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2455474"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in LiteLLM, an AI Gateway proxy server. An authenticated user can exploit a missing authorization check on the `/config/update` endpoint. This allows the user to modify proxy configurations and environment variables, leading to remote code execution by registering custom endpoint handlers. Additionally, this vulnerability enables unauthorized reading of server files and potential takeover of privileged accounts through environment variable manipulation.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "litellm: LiteLLM: Remote code execution and privilege escalation via unrestricted proxy configuration endpoint",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This Important flaw in LiteLLM allows an authenticated user to bypass authorization on the `/config/update` endpoint. This enables modification of proxy configurations and environment variables, leading to remote code execution, unauthorized file access, and potential account takeover. Red Hat Ansible Automation Platform, Lightspeed Core, and Red Hat OpenShift AI are affected.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat OpenShift AI 2.25:registry.redhat.io/rhoai/odh-llama-stack-core-rhel9@sha256:59a4a3dc01e258bdd6aa463c8dbb34e14bd1a8357ef6ae3d4ea9e6c8ce062353_arm64",
"Red Hat OpenShift AI 2.25:registry.redhat.io/rhoai/odh-llama-stack-core-rhel9@sha256:66cc80e961fe991b063dc51467fa901dce3fb2afc383afed1c596ec432363022_amd64"
],
"known_not_affected": [
"Red Hat OpenShift AI 2.25:registry.redhat.io/rhoai/odh-operator-bundle@sha256:c0d7ed557a77e880b7d78eb3a87a05cadaf8711eea4e024fece782f5a68edebe_amd64",
"Red Hat OpenShift AI 2.25:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:1fc8714e90d4b7a9ca8e6d9360f692fee9a764d6e556d5241886dbf116df8902_arm64",
"Red Hat OpenShift AI 2.25:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:227cecaf494ed3999aee9743b93371bd11eebce31538d34bea239133f473e3dd_s390x",
"Red Hat OpenShift AI 2.25:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:5d74f4badc192e18e4cf8027a2091cf5148f1426e0542bc5d7a5ecaf6dd9cf87_ppc64le",
"Red Hat OpenShift AI 2.25:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:a2362d90bb91fd360fdbfe760206da6a30024cca09b9839bdbfe0573a3e76ace_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-35029"
},
{
"category": "external",
"summary": "RHBZ#2455474",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2455474"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-35029",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-35029"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-35029",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35029"
},
{
"category": "external",
"summary": "https://github.com/BerriAI/litellm/security/advisories/GHSA-53mr-6c8q-9789",
"url": "https://github.com/BerriAI/litellm/security/advisories/GHSA-53mr-6c8q-9789"
}
],
"release_date": "2026-04-06T16:35:28.974000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-24T10:50:48+00:00",
"details": "For Red Hat OpenShift AI 2.25.8 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this errata update:\n\nhttps://docs.redhat.com/en/documentation/red_hat_openshift_ai/",
"product_ids": [
"Red Hat OpenShift AI 2.25:registry.redhat.io/rhoai/odh-llama-stack-core-rhel9@sha256:59a4a3dc01e258bdd6aa463c8dbb34e14bd1a8357ef6ae3d4ea9e6c8ce062353_arm64",
"Red Hat OpenShift AI 2.25:registry.redhat.io/rhoai/odh-llama-stack-core-rhel9@sha256:66cc80e961fe991b063dc51467fa901dce3fb2afc383afed1c596ec432363022_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:28960"
},
{
"category": "workaround",
"details": "Limit network access to the LiteLLM service to trusted networks or hosts only. Implement firewall rules to restrict inbound connections to the LiteLLM service\u0027s port, ensuring that only authorized systems can reach the service. This reduces the exposure of the `/config/update` endpoint to unauthorized authenticated users.",
"product_ids": [
"Red Hat OpenShift AI 2.25:registry.redhat.io/rhoai/odh-llama-stack-core-rhel9@sha256:59a4a3dc01e258bdd6aa463c8dbb34e14bd1a8357ef6ae3d4ea9e6c8ce062353_arm64",
"Red Hat OpenShift AI 2.25:registry.redhat.io/rhoai/odh-llama-stack-core-rhel9@sha256:66cc80e961fe991b063dc51467fa901dce3fb2afc383afed1c596ec432363022_amd64",
"Red Hat OpenShift AI 2.25:registry.redhat.io/rhoai/odh-operator-bundle@sha256:c0d7ed557a77e880b7d78eb3a87a05cadaf8711eea4e024fece782f5a68edebe_amd64",
"Red Hat OpenShift AI 2.25:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:1fc8714e90d4b7a9ca8e6d9360f692fee9a764d6e556d5241886dbf116df8902_arm64",
"Red Hat OpenShift AI 2.25:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:227cecaf494ed3999aee9743b93371bd11eebce31538d34bea239133f473e3dd_s390x",
"Red Hat OpenShift AI 2.25:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:5d74f4badc192e18e4cf8027a2091cf5148f1426e0542bc5d7a5ecaf6dd9cf87_ppc64le",
"Red Hat OpenShift AI 2.25:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:a2362d90bb91fd360fdbfe760206da6a30024cca09b9839bdbfe0573a3e76ace_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"Red Hat OpenShift AI 2.25:registry.redhat.io/rhoai/odh-llama-stack-core-rhel9@sha256:59a4a3dc01e258bdd6aa463c8dbb34e14bd1a8357ef6ae3d4ea9e6c8ce062353_arm64",
"Red Hat OpenShift AI 2.25:registry.redhat.io/rhoai/odh-llama-stack-core-rhel9@sha256:66cc80e961fe991b063dc51467fa901dce3fb2afc383afed1c596ec432363022_amd64",
"Red Hat OpenShift AI 2.25:registry.redhat.io/rhoai/odh-operator-bundle@sha256:c0d7ed557a77e880b7d78eb3a87a05cadaf8711eea4e024fece782f5a68edebe_amd64",
"Red Hat OpenShift AI 2.25:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:1fc8714e90d4b7a9ca8e6d9360f692fee9a764d6e556d5241886dbf116df8902_arm64",
"Red Hat OpenShift AI 2.25:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:227cecaf494ed3999aee9743b93371bd11eebce31538d34bea239133f473e3dd_s390x",
"Red Hat OpenShift AI 2.25:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:5d74f4badc192e18e4cf8027a2091cf5148f1426e0542bc5d7a5ecaf6dd9cf87_ppc64le",
"Red Hat OpenShift AI 2.25:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:a2362d90bb91fd360fdbfe760206da6a30024cca09b9839bdbfe0573a3e76ace_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "litellm: LiteLLM: Remote code execution and privilege escalation via unrestricted proxy configuration endpoint"
},
{
"cve": "CVE-2026-35030",
"cwe": {
"id": "CWE-222",
"name": "Truncation of Security-relevant Information"
},
"discovery_date": "2026-04-06T18:01:07.517951+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"Red Hat OpenShift AI 2.25:registry.redhat.io/rhoai/odh-operator-bundle@sha256:c0d7ed557a77e880b7d78eb3a87a05cadaf8711eea4e024fece782f5a68edebe_amd64",
"Red Hat OpenShift AI 2.25:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:1fc8714e90d4b7a9ca8e6d9360f692fee9a764d6e556d5241886dbf116df8902_arm64",
"Red Hat OpenShift AI 2.25:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:227cecaf494ed3999aee9743b93371bd11eebce31538d34bea239133f473e3dd_s390x",
"Red Hat OpenShift AI 2.25:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:5d74f4badc192e18e4cf8027a2091cf5148f1426e0542bc5d7a5ecaf6dd9cf87_ppc64le",
"Red Hat OpenShift AI 2.25:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:a2362d90bb91fd360fdbfe760206da6a30024cca09b9839bdbfe0573a3e76ace_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2455509"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in LiteLLM, a proxy server for Large Language Model (LLM) APIs. When JSON Web Token (JWT) authentication is enabled, the OIDC user information cache uses a truncated portion of the token as a cache key. An unauthenticated attacker can exploit this by crafting a JWT with the same initial characters as a legitimate user\u0027s cached token. This allows the attacker to bypass authentication and inherit the legitimate user\u0027s identity and permissions, potentially leading to unauthorized access and privilege escalation.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "litellm: LiteLLM: Authentication bypass and privilege escalation via OIDC userinfo cache key collision",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This is an Important flaw in LiteLLM that enables authentication bypass and privilege escalation. The vulnerability is present only when JWT authentication is explicitly enabled, as this configuration is not active by default. Red Hat Ansible Automation Platform, Lightspeed Core, Red Hat OpenShift AI, and Ansible Services are affected if configured with JWT authentication.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat OpenShift AI 2.25:registry.redhat.io/rhoai/odh-llama-stack-core-rhel9@sha256:59a4a3dc01e258bdd6aa463c8dbb34e14bd1a8357ef6ae3d4ea9e6c8ce062353_arm64",
"Red Hat OpenShift AI 2.25:registry.redhat.io/rhoai/odh-llama-stack-core-rhel9@sha256:66cc80e961fe991b063dc51467fa901dce3fb2afc383afed1c596ec432363022_amd64"
],
"known_not_affected": [
"Red Hat OpenShift AI 2.25:registry.redhat.io/rhoai/odh-operator-bundle@sha256:c0d7ed557a77e880b7d78eb3a87a05cadaf8711eea4e024fece782f5a68edebe_amd64",
"Red Hat OpenShift AI 2.25:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:1fc8714e90d4b7a9ca8e6d9360f692fee9a764d6e556d5241886dbf116df8902_arm64",
"Red Hat OpenShift AI 2.25:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:227cecaf494ed3999aee9743b93371bd11eebce31538d34bea239133f473e3dd_s390x",
"Red Hat OpenShift AI 2.25:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:5d74f4badc192e18e4cf8027a2091cf5148f1426e0542bc5d7a5ecaf6dd9cf87_ppc64le",
"Red Hat OpenShift AI 2.25:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:a2362d90bb91fd360fdbfe760206da6a30024cca09b9839bdbfe0573a3e76ace_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-35030"
},
{
"category": "external",
"summary": "RHBZ#2455509",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2455509"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-35030",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-35030"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-35030",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35030"
},
{
"category": "external",
"summary": "https://github.com/BerriAI/litellm/security/advisories/GHSA-jjhc-v7c2-5hh6",
"url": "https://github.com/BerriAI/litellm/security/advisories/GHSA-jjhc-v7c2-5hh6"
}
],
"release_date": "2026-04-06T16:47:02.065000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-24T10:50:48+00:00",
"details": "For Red Hat OpenShift AI 2.25.8 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this errata update:\n\nhttps://docs.redhat.com/en/documentation/red_hat_openshift_ai/",
"product_ids": [
"Red Hat OpenShift AI 2.25:registry.redhat.io/rhoai/odh-llama-stack-core-rhel9@sha256:59a4a3dc01e258bdd6aa463c8dbb34e14bd1a8357ef6ae3d4ea9e6c8ce062353_arm64",
"Red Hat OpenShift AI 2.25:registry.redhat.io/rhoai/odh-llama-stack-core-rhel9@sha256:66cc80e961fe991b063dc51467fa901dce3fb2afc383afed1c596ec432363022_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:28960"
},
{
"category": "workaround",
"details": "To mitigate this issue, ensure that JWT authentication is not enabled in LiteLLM configurations. The vulnerability only manifests when `enable_jwt_auth` is set to `true`. If JWT authentication is not strictly required, disable it to prevent potential authentication bypass and privilege escalation. If this configuration is changed, a restart of the LiteLLM service may be required for the changes to take effect.",
"product_ids": [
"Red Hat OpenShift AI 2.25:registry.redhat.io/rhoai/odh-llama-stack-core-rhel9@sha256:59a4a3dc01e258bdd6aa463c8dbb34e14bd1a8357ef6ae3d4ea9e6c8ce062353_arm64",
"Red Hat OpenShift AI 2.25:registry.redhat.io/rhoai/odh-llama-stack-core-rhel9@sha256:66cc80e961fe991b063dc51467fa901dce3fb2afc383afed1c596ec432363022_amd64",
"Red Hat OpenShift AI 2.25:registry.redhat.io/rhoai/odh-operator-bundle@sha256:c0d7ed557a77e880b7d78eb3a87a05cadaf8711eea4e024fece782f5a68edebe_amd64",
"Red Hat OpenShift AI 2.25:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:1fc8714e90d4b7a9ca8e6d9360f692fee9a764d6e556d5241886dbf116df8902_arm64",
"Red Hat OpenShift AI 2.25:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:227cecaf494ed3999aee9743b93371bd11eebce31538d34bea239133f473e3dd_s390x",
"Red Hat OpenShift AI 2.25:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:5d74f4badc192e18e4cf8027a2091cf5148f1426e0542bc5d7a5ecaf6dd9cf87_ppc64le",
"Red Hat OpenShift AI 2.25:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:a2362d90bb91fd360fdbfe760206da6a30024cca09b9839bdbfe0573a3e76ace_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"Red Hat OpenShift AI 2.25:registry.redhat.io/rhoai/odh-llama-stack-core-rhel9@sha256:59a4a3dc01e258bdd6aa463c8dbb34e14bd1a8357ef6ae3d4ea9e6c8ce062353_arm64",
"Red Hat OpenShift AI 2.25:registry.redhat.io/rhoai/odh-llama-stack-core-rhel9@sha256:66cc80e961fe991b063dc51467fa901dce3fb2afc383afed1c596ec432363022_amd64",
"Red Hat OpenShift AI 2.25:registry.redhat.io/rhoai/odh-operator-bundle@sha256:c0d7ed557a77e880b7d78eb3a87a05cadaf8711eea4e024fece782f5a68edebe_amd64",
"Red Hat OpenShift AI 2.25:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:1fc8714e90d4b7a9ca8e6d9360f692fee9a764d6e556d5241886dbf116df8902_arm64",
"Red Hat OpenShift AI 2.25:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:227cecaf494ed3999aee9743b93371bd11eebce31538d34bea239133f473e3dd_s390x",
"Red Hat OpenShift AI 2.25:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:5d74f4badc192e18e4cf8027a2091cf5148f1426e0542bc5d7a5ecaf6dd9cf87_ppc64le",
"Red Hat OpenShift AI 2.25:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:a2362d90bb91fd360fdbfe760206da6a30024cca09b9839bdbfe0573a3e76ace_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "litellm: LiteLLM: Authentication bypass and privilege escalation via OIDC userinfo cache key collision"
},
{
"cve": "CVE-2026-42271",
"cwe": {
"id": "CWE-78",
"name": "Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)"
},
"discovery_date": "2026-05-08T04:02:12.169174+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"Red Hat OpenShift AI 2.25:registry.redhat.io/rhoai/odh-operator-bundle@sha256:c0d7ed557a77e880b7d78eb3a87a05cadaf8711eea4e024fece782f5a68edebe_amd64",
"Red Hat OpenShift AI 2.25:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:1fc8714e90d4b7a9ca8e6d9360f692fee9a764d6e556d5241886dbf116df8902_arm64",
"Red Hat OpenShift AI 2.25:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:227cecaf494ed3999aee9743b93371bd11eebce31538d34bea239133f473e3dd_s390x",
"Red Hat OpenShift AI 2.25:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:5d74f4badc192e18e4cf8027a2091cf5148f1426e0542bc5d7a5ecaf6dd9cf87_ppc64le",
"Red Hat OpenShift AI 2.25:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:a2362d90bb91fd360fdbfe760206da6a30024cca09b9839bdbfe0573a3e76ace_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2467924"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in LiteLLM, a proxy server (AI Gateway) for Large Language Model (LLM) APIs. Two endpoints, used for previewing an MCP server before saving it, accepted a full server configuration including command execution parameters. An authenticated user, even with low-privilege internal-user keys, could exploit this by sending a crafted configuration. This allows for arbitrary command execution on the proxy host with the privileges of the proxy process.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "litellm: LiteLLM: Authenticated command execution via MCP stdio test endpoints",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This is an Important flaw affecting LiteLLM, as deployed in Red Hat products like Ansible Automation Platform and OpenShift AI. Authenticated users, even with low-privilege API keys, can execute arbitrary commands on the proxy host. This is due to insufficient role checks on specific endpoints that accept server configurations with command execution parameters.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat OpenShift AI 2.25:registry.redhat.io/rhoai/odh-llama-stack-core-rhel9@sha256:59a4a3dc01e258bdd6aa463c8dbb34e14bd1a8357ef6ae3d4ea9e6c8ce062353_arm64",
"Red Hat OpenShift AI 2.25:registry.redhat.io/rhoai/odh-llama-stack-core-rhel9@sha256:66cc80e961fe991b063dc51467fa901dce3fb2afc383afed1c596ec432363022_amd64"
],
"known_not_affected": [
"Red Hat OpenShift AI 2.25:registry.redhat.io/rhoai/odh-operator-bundle@sha256:c0d7ed557a77e880b7d78eb3a87a05cadaf8711eea4e024fece782f5a68edebe_amd64",
"Red Hat OpenShift AI 2.25:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:1fc8714e90d4b7a9ca8e6d9360f692fee9a764d6e556d5241886dbf116df8902_arm64",
"Red Hat OpenShift AI 2.25:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:227cecaf494ed3999aee9743b93371bd11eebce31538d34bea239133f473e3dd_s390x",
"Red Hat OpenShift AI 2.25:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:5d74f4badc192e18e4cf8027a2091cf5148f1426e0542bc5d7a5ecaf6dd9cf87_ppc64le",
"Red Hat OpenShift AI 2.25:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:a2362d90bb91fd360fdbfe760206da6a30024cca09b9839bdbfe0573a3e76ace_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-42271"
},
{
"category": "external",
"summary": "RHBZ#2467924",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2467924"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-42271",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-42271"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-42271",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42271"
},
{
"category": "external",
"summary": "https://github.com/BerriAI/litellm/releases/tag/v1.83.7-stable",
"url": "https://github.com/BerriAI/litellm/releases/tag/v1.83.7-stable"
},
{
"category": "external",
"summary": "https://github.com/BerriAI/litellm/security/advisories/GHSA-v4p8-mg3p-g94g",
"url": "https://github.com/BerriAI/litellm/security/advisories/GHSA-v4p8-mg3p-g94g"
},
{
"category": "external",
"summary": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog"
}
],
"release_date": "2026-05-08T03:35:16.758000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-24T10:50:48+00:00",
"details": "For Red Hat OpenShift AI 2.25.8 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this errata update:\n\nhttps://docs.redhat.com/en/documentation/red_hat_openshift_ai/",
"product_ids": [
"Red Hat OpenShift AI 2.25:registry.redhat.io/rhoai/odh-llama-stack-core-rhel9@sha256:59a4a3dc01e258bdd6aa463c8dbb34e14bd1a8357ef6ae3d4ea9e6c8ce062353_arm64",
"Red Hat OpenShift AI 2.25:registry.redhat.io/rhoai/odh-llama-stack-core-rhel9@sha256:66cc80e961fe991b063dc51467fa901dce3fb2afc383afed1c596ec432363022_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:28960"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"Red Hat OpenShift AI 2.25:registry.redhat.io/rhoai/odh-llama-stack-core-rhel9@sha256:59a4a3dc01e258bdd6aa463c8dbb34e14bd1a8357ef6ae3d4ea9e6c8ce062353_arm64",
"Red Hat OpenShift AI 2.25:registry.redhat.io/rhoai/odh-llama-stack-core-rhel9@sha256:66cc80e961fe991b063dc51467fa901dce3fb2afc383afed1c596ec432363022_amd64",
"Red Hat OpenShift AI 2.25:registry.redhat.io/rhoai/odh-operator-bundle@sha256:c0d7ed557a77e880b7d78eb3a87a05cadaf8711eea4e024fece782f5a68edebe_amd64",
"Red Hat OpenShift AI 2.25:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:1fc8714e90d4b7a9ca8e6d9360f692fee9a764d6e556d5241886dbf116df8902_arm64",
"Red Hat OpenShift AI 2.25:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:227cecaf494ed3999aee9743b93371bd11eebce31538d34bea239133f473e3dd_s390x",
"Red Hat OpenShift AI 2.25:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:5d74f4badc192e18e4cf8027a2091cf5148f1426e0542bc5d7a5ecaf6dd9cf87_ppc64le",
"Red Hat OpenShift AI 2.25:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:a2362d90bb91fd360fdbfe760206da6a30024cca09b9839bdbfe0573a3e76ace_amd64"
]
}
],
"threats": [
{
"category": "exploit_status",
"date": "2026-06-08T00:00:00+00:00",
"details": "CISA: https://www.cisa.gov/known-exploited-vulnerabilities-catalog"
},
{
"category": "impact",
"details": "Important"
}
],
"title": "litellm: LiteLLM: Authenticated command execution via MCP stdio test endpoints"
}
]
}
RHSA-2026:30056
Vulnerability from csaf_redhat - Published: 2026-06-25 18:09 - Updated: 2026-06-25 23:42Summary
Red Hat Security Advisory: RHOAI 3.3.4 - Red Hat OpenShift AI
Severity
Important
Notes
Topic: Updated images are now available for Red Hat OpenShift AI.
Details: Release of RHOAI 3.3.4 provides these changes:
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A flaw was found in LiteLLM, an AI Gateway proxy server. An authenticated user can exploit a missing authorization check on the `/config/update` endpoint. This allows the user to modify proxy configurations and environment variables, leading to remote code execution by registering custom endpoint handlers. Additionally, this vulnerability enables unauthorized reading of server files and potential takeover of privileged accounts through environment variable manipulation.
8.8 (High)
Affected products
Fixed
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat OpenShift AI 3.3:registry.redhat.io/rhoai/odh-llama-stack-core-rhel9@sha256:b6ec1fac474c9ff596322446656add0ebb10c449d623c37a3f71548957dc4c9c_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift AI 3.3:registry.redhat.io/rhoai/odh-llama-stack-core-rhel9@sha256:ee821288511aaf6e91080f8a925a425e5d26eeacc73f042b39469c65c2e7a139_arm64 | — |
Vendor Fix
fix
Workaround
|
Known not affected
5 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat OpenShift AI 3.3:registry.redhat.io/rhoai/odh-operator-bundle@sha256:163f636a1cbc151572ad0470bd5b06650980efd72e6c462cff6ce9ce4bcfaa93_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift AI 3.3:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:195a25181e1ff5c73cea1146a339489398cb54618e8cd9d574e90a72a1ff3e11_arm64 | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift AI 3.3:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:48a73c9e0491f2f9bb109e15fea89ebd65939ed9bcfced506e006f23bbe9f64e_ppc64le | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift AI 3.3:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:5b0afdcb5c35d4c55847e1eb2967056ef9f508549f40028d6a6d2b41f6e70fe6_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift AI 3.3:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:f7788f465a7f7d03b8ac7b1de0994e99eb95693f78120856420e7d2426a3c466_s390x | — |
Workaround
|
Threats
Impact
Important
A flaw was found in LiteLLM, a proxy server for Large Language Model (LLM) APIs. When JSON Web Token (JWT) authentication is enabled, the OIDC user information cache uses a truncated portion of the token as a cache key. An unauthenticated attacker can exploit this by crafting a JWT with the same initial characters as a legitimate user's cached token. This allows the attacker to bypass authentication and inherit the legitimate user's identity and permissions, potentially leading to unauthorized access and privilege escalation.
9.1 (Critical)
Affected products
Fixed
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat OpenShift AI 3.3:registry.redhat.io/rhoai/odh-llama-stack-core-rhel9@sha256:b6ec1fac474c9ff596322446656add0ebb10c449d623c37a3f71548957dc4c9c_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift AI 3.3:registry.redhat.io/rhoai/odh-llama-stack-core-rhel9@sha256:ee821288511aaf6e91080f8a925a425e5d26eeacc73f042b39469c65c2e7a139_arm64 | — |
Vendor Fix
fix
Workaround
|
Known not affected
5 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat OpenShift AI 3.3:registry.redhat.io/rhoai/odh-operator-bundle@sha256:163f636a1cbc151572ad0470bd5b06650980efd72e6c462cff6ce9ce4bcfaa93_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift AI 3.3:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:195a25181e1ff5c73cea1146a339489398cb54618e8cd9d574e90a72a1ff3e11_arm64 | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift AI 3.3:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:48a73c9e0491f2f9bb109e15fea89ebd65939ed9bcfced506e006f23bbe9f64e_ppc64le | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift AI 3.3:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:5b0afdcb5c35d4c55847e1eb2967056ef9f508549f40028d6a6d2b41f6e70fe6_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift AI 3.3:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:f7788f465a7f7d03b8ac7b1de0994e99eb95693f78120856420e7d2426a3c466_s390x | — |
Workaround
|
Threats
Impact
Important
A flaw was found in LiteLLM. A remote attacker can exploit this flaw by performing bytecode rewriting at the `/guardrails/test_custom_code` URI. This could lead to arbitrary code execution, allowing the attacker to run malicious code on the affected system.
8.8 (High)
Affected products
Fixed
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat OpenShift AI 3.3:registry.redhat.io/rhoai/odh-llama-stack-core-rhel9@sha256:b6ec1fac474c9ff596322446656add0ebb10c449d623c37a3f71548957dc4c9c_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift AI 3.3:registry.redhat.io/rhoai/odh-llama-stack-core-rhel9@sha256:ee821288511aaf6e91080f8a925a425e5d26eeacc73f042b39469c65c2e7a139_arm64 | — |
Vendor Fix
fix
Workaround
|
Known not affected
5 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat OpenShift AI 3.3:registry.redhat.io/rhoai/odh-operator-bundle@sha256:163f636a1cbc151572ad0470bd5b06650980efd72e6c462cff6ce9ce4bcfaa93_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift AI 3.3:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:195a25181e1ff5c73cea1146a339489398cb54618e8cd9d574e90a72a1ff3e11_arm64 | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift AI 3.3:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:48a73c9e0491f2f9bb109e15fea89ebd65939ed9bcfced506e006f23bbe9f64e_ppc64le | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift AI 3.3:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:5b0afdcb5c35d4c55847e1eb2967056ef9f508549f40028d6a6d2b41f6e70fe6_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift AI 3.3:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:f7788f465a7f7d03b8ac7b1de0994e99eb95693f78120856420e7d2426a3c466_s390x | — |
Workaround
|
Threats
Impact
Important
A flaw was found in LiteLLM, a proxy server (AI Gateway) for Large Language Model (LLM) APIs. Two endpoints, used for previewing an MCP server before saving it, accepted a full server configuration including command execution parameters. An authenticated user, even with low-privilege internal-user keys, could exploit this by sending a crafted configuration. This allows for arbitrary command execution on the proxy host with the privileges of the proxy process.
8.8 (High)
Affected products
Fixed
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat OpenShift AI 3.3:registry.redhat.io/rhoai/odh-llama-stack-core-rhel9@sha256:b6ec1fac474c9ff596322446656add0ebb10c449d623c37a3f71548957dc4c9c_amd64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: Red Hat OpenShift AI 3.3:registry.redhat.io/rhoai/odh-llama-stack-core-rhel9@sha256:ee821288511aaf6e91080f8a925a425e5d26eeacc73f042b39469c65c2e7a139_arm64 | — |
Vendor Fix
fix
|
Known not affected
5 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat OpenShift AI 3.3:registry.redhat.io/rhoai/odh-operator-bundle@sha256:163f636a1cbc151572ad0470bd5b06650980efd72e6c462cff6ce9ce4bcfaa93_amd64 | — | ||
| Unresolved product id: Red Hat OpenShift AI 3.3:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:195a25181e1ff5c73cea1146a339489398cb54618e8cd9d574e90a72a1ff3e11_arm64 | — | ||
| Unresolved product id: Red Hat OpenShift AI 3.3:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:48a73c9e0491f2f9bb109e15fea89ebd65939ed9bcfced506e006f23bbe9f64e_ppc64le | — | ||
| Unresolved product id: Red Hat OpenShift AI 3.3:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:5b0afdcb5c35d4c55847e1eb2967056ef9f508549f40028d6a6d2b41f6e70fe6_amd64 | — | ||
| Unresolved product id: Red Hat OpenShift AI 3.3:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:f7788f465a7f7d03b8ac7b1de0994e99eb95693f78120856420e7d2426a3c466_s390x | — |
Threats
Exploit Status
CISA: https://www.cisa.gov/known-exploited-vulnerabilities-catalog
Impact
Important
References
30 references
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Updated images are now available for Red Hat OpenShift AI.",
"title": "Topic"
},
{
"category": "general",
"text": "Release of RHOAI 3.3.4 provides these changes:",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2026:30056",
"url": "https://access.redhat.com/errata/RHSA-2026:30056"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-35029",
"url": "https://access.redhat.com/security/cve/CVE-2026-35029"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-35030",
"url": "https://access.redhat.com/security/cve/CVE-2026-35030"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-40217",
"url": "https://access.redhat.com/security/cve/CVE-2026-40217"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-42271",
"url": "https://access.redhat.com/security/cve/CVE-2026-42271"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/",
"url": "https://access.redhat.com/security/updates/classification/"
},
{
"category": "external",
"summary": "https://docs.redhat.com/en/documentation/red_hat_openshift_ai/",
"url": "https://docs.redhat.com/en/documentation/red_hat_openshift_ai/"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_30056.json"
}
],
"title": "Red Hat Security Advisory: RHOAI 3.3.4 - Red Hat OpenShift AI",
"tracking": {
"current_release_date": "2026-06-25T23:42:37+00:00",
"generator": {
"date": "2026-06-25T23:42:37+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "5.2.5"
}
},
"id": "RHSA-2026:30056",
"initial_release_date": "2026-06-25T18:09:56+00:00",
"revision_history": [
{
"date": "2026-06-25T18:09:56+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2026-06-25T18:09:59+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-06-25T23:42:37+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat OpenShift AI 3.3",
"product": {
"name": "Red Hat OpenShift AI 3.3",
"product_id": "Red Hat OpenShift AI 3.3",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:openshift_ai:3.3::el9"
}
}
}
],
"category": "product_family",
"name": "Red Hat OpenShift AI"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/rhoai/odh-llama-stack-core-rhel9@sha256:b6ec1fac474c9ff596322446656add0ebb10c449d623c37a3f71548957dc4c9c_amd64",
"product": {
"name": "registry.redhat.io/rhoai/odh-llama-stack-core-rhel9@sha256:b6ec1fac474c9ff596322446656add0ebb10c449d623c37a3f71548957dc4c9c_amd64",
"product_id": "registry.redhat.io/rhoai/odh-llama-stack-core-rhel9@sha256:b6ec1fac474c9ff596322446656add0ebb10c449d623c37a3f71548957dc4c9c_amd64",
"product_identification_helper": {
"purl": "pkg:oci/odh-llama-stack-core-rhel9@sha256%3Ab6ec1fac474c9ff596322446656add0ebb10c449d623c37a3f71548957dc4c9c?arch=amd64\u0026repository_url=registry.redhat.io/rhoai/odh-llama-stack-core-rhel9\u0026tag=1782310008"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/rhoai/odh-operator-bundle@sha256:163f636a1cbc151572ad0470bd5b06650980efd72e6c462cff6ce9ce4bcfaa93_amd64",
"product": {
"name": "registry.redhat.io/rhoai/odh-operator-bundle@sha256:163f636a1cbc151572ad0470bd5b06650980efd72e6c462cff6ce9ce4bcfaa93_amd64",
"product_id": "registry.redhat.io/rhoai/odh-operator-bundle@sha256:163f636a1cbc151572ad0470bd5b06650980efd72e6c462cff6ce9ce4bcfaa93_amd64",
"product_identification_helper": {
"purl": "pkg:oci/odh-operator-bundle@sha256%3A163f636a1cbc151572ad0470bd5b06650980efd72e6c462cff6ce9ce4bcfaa93?arch=amd64\u0026repository_url=registry.redhat.io/rhoai/odh-operator-bundle\u0026tag=1782332801"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/rhoai/odh-rhel9-operator@sha256:5b0afdcb5c35d4c55847e1eb2967056ef9f508549f40028d6a6d2b41f6e70fe6_amd64",
"product": {
"name": "registry.redhat.io/rhoai/odh-rhel9-operator@sha256:5b0afdcb5c35d4c55847e1eb2967056ef9f508549f40028d6a6d2b41f6e70fe6_amd64",
"product_id": "registry.redhat.io/rhoai/odh-rhel9-operator@sha256:5b0afdcb5c35d4c55847e1eb2967056ef9f508549f40028d6a6d2b41f6e70fe6_amd64",
"product_identification_helper": {
"purl": "pkg:oci/odh-rhel9-operator@sha256%3A5b0afdcb5c35d4c55847e1eb2967056ef9f508549f40028d6a6d2b41f6e70fe6?arch=amd64\u0026repository_url=registry.redhat.io/rhoai/odh-rhel9-operator\u0026tag=1782332088"
}
}
}
],
"category": "architecture",
"name": "amd64"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/rhoai/odh-llama-stack-core-rhel9@sha256:ee821288511aaf6e91080f8a925a425e5d26eeacc73f042b39469c65c2e7a139_arm64",
"product": {
"name": "registry.redhat.io/rhoai/odh-llama-stack-core-rhel9@sha256:ee821288511aaf6e91080f8a925a425e5d26eeacc73f042b39469c65c2e7a139_arm64",
"product_id": "registry.redhat.io/rhoai/odh-llama-stack-core-rhel9@sha256:ee821288511aaf6e91080f8a925a425e5d26eeacc73f042b39469c65c2e7a139_arm64",
"product_identification_helper": {
"purl": "pkg:oci/odh-llama-stack-core-rhel9@sha256%3Aee821288511aaf6e91080f8a925a425e5d26eeacc73f042b39469c65c2e7a139?arch=arm64\u0026repository_url=registry.redhat.io/rhoai/odh-llama-stack-core-rhel9\u0026tag=1782310008"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/rhoai/odh-rhel9-operator@sha256:195a25181e1ff5c73cea1146a339489398cb54618e8cd9d574e90a72a1ff3e11_arm64",
"product": {
"name": "registry.redhat.io/rhoai/odh-rhel9-operator@sha256:195a25181e1ff5c73cea1146a339489398cb54618e8cd9d574e90a72a1ff3e11_arm64",
"product_id": "registry.redhat.io/rhoai/odh-rhel9-operator@sha256:195a25181e1ff5c73cea1146a339489398cb54618e8cd9d574e90a72a1ff3e11_arm64",
"product_identification_helper": {
"purl": "pkg:oci/odh-rhel9-operator@sha256%3A195a25181e1ff5c73cea1146a339489398cb54618e8cd9d574e90a72a1ff3e11?arch=arm64\u0026repository_url=registry.redhat.io/rhoai/odh-rhel9-operator\u0026tag=1782332088"
}
}
}
],
"category": "architecture",
"name": "arm64"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/rhoai/odh-rhel9-operator@sha256:48a73c9e0491f2f9bb109e15fea89ebd65939ed9bcfced506e006f23bbe9f64e_ppc64le",
"product": {
"name": "registry.redhat.io/rhoai/odh-rhel9-operator@sha256:48a73c9e0491f2f9bb109e15fea89ebd65939ed9bcfced506e006f23bbe9f64e_ppc64le",
"product_id": "registry.redhat.io/rhoai/odh-rhel9-operator@sha256:48a73c9e0491f2f9bb109e15fea89ebd65939ed9bcfced506e006f23bbe9f64e_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/odh-rhel9-operator@sha256%3A48a73c9e0491f2f9bb109e15fea89ebd65939ed9bcfced506e006f23bbe9f64e?arch=ppc64le\u0026repository_url=registry.redhat.io/rhoai/odh-rhel9-operator\u0026tag=1782332088"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/rhoai/odh-rhel9-operator@sha256:f7788f465a7f7d03b8ac7b1de0994e99eb95693f78120856420e7d2426a3c466_s390x",
"product": {
"name": "registry.redhat.io/rhoai/odh-rhel9-operator@sha256:f7788f465a7f7d03b8ac7b1de0994e99eb95693f78120856420e7d2426a3c466_s390x",
"product_id": "registry.redhat.io/rhoai/odh-rhel9-operator@sha256:f7788f465a7f7d03b8ac7b1de0994e99eb95693f78120856420e7d2426a3c466_s390x",
"product_identification_helper": {
"purl": "pkg:oci/odh-rhel9-operator@sha256%3Af7788f465a7f7d03b8ac7b1de0994e99eb95693f78120856420e7d2426a3c466?arch=s390x\u0026repository_url=registry.redhat.io/rhoai/odh-rhel9-operator\u0026tag=1782332088"
}
}
}
],
"category": "architecture",
"name": "s390x"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/rhoai/odh-llama-stack-core-rhel9@sha256:b6ec1fac474c9ff596322446656add0ebb10c449d623c37a3f71548957dc4c9c_amd64 as a component of Red Hat OpenShift AI 3.3",
"product_id": "Red Hat OpenShift AI 3.3:registry.redhat.io/rhoai/odh-llama-stack-core-rhel9@sha256:b6ec1fac474c9ff596322446656add0ebb10c449d623c37a3f71548957dc4c9c_amd64"
},
"product_reference": "registry.redhat.io/rhoai/odh-llama-stack-core-rhel9@sha256:b6ec1fac474c9ff596322446656add0ebb10c449d623c37a3f71548957dc4c9c_amd64",
"relates_to_product_reference": "Red Hat OpenShift AI 3.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/rhoai/odh-llama-stack-core-rhel9@sha256:ee821288511aaf6e91080f8a925a425e5d26eeacc73f042b39469c65c2e7a139_arm64 as a component of Red Hat OpenShift AI 3.3",
"product_id": "Red Hat OpenShift AI 3.3:registry.redhat.io/rhoai/odh-llama-stack-core-rhel9@sha256:ee821288511aaf6e91080f8a925a425e5d26eeacc73f042b39469c65c2e7a139_arm64"
},
"product_reference": "registry.redhat.io/rhoai/odh-llama-stack-core-rhel9@sha256:ee821288511aaf6e91080f8a925a425e5d26eeacc73f042b39469c65c2e7a139_arm64",
"relates_to_product_reference": "Red Hat OpenShift AI 3.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/rhoai/odh-operator-bundle@sha256:163f636a1cbc151572ad0470bd5b06650980efd72e6c462cff6ce9ce4bcfaa93_amd64 as a component of Red Hat OpenShift AI 3.3",
"product_id": "Red Hat OpenShift AI 3.3:registry.redhat.io/rhoai/odh-operator-bundle@sha256:163f636a1cbc151572ad0470bd5b06650980efd72e6c462cff6ce9ce4bcfaa93_amd64"
},
"product_reference": "registry.redhat.io/rhoai/odh-operator-bundle@sha256:163f636a1cbc151572ad0470bd5b06650980efd72e6c462cff6ce9ce4bcfaa93_amd64",
"relates_to_product_reference": "Red Hat OpenShift AI 3.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/rhoai/odh-rhel9-operator@sha256:195a25181e1ff5c73cea1146a339489398cb54618e8cd9d574e90a72a1ff3e11_arm64 as a component of Red Hat OpenShift AI 3.3",
"product_id": "Red Hat OpenShift AI 3.3:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:195a25181e1ff5c73cea1146a339489398cb54618e8cd9d574e90a72a1ff3e11_arm64"
},
"product_reference": "registry.redhat.io/rhoai/odh-rhel9-operator@sha256:195a25181e1ff5c73cea1146a339489398cb54618e8cd9d574e90a72a1ff3e11_arm64",
"relates_to_product_reference": "Red Hat OpenShift AI 3.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/rhoai/odh-rhel9-operator@sha256:48a73c9e0491f2f9bb109e15fea89ebd65939ed9bcfced506e006f23bbe9f64e_ppc64le as a component of Red Hat OpenShift AI 3.3",
"product_id": "Red Hat OpenShift AI 3.3:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:48a73c9e0491f2f9bb109e15fea89ebd65939ed9bcfced506e006f23bbe9f64e_ppc64le"
},
"product_reference": "registry.redhat.io/rhoai/odh-rhel9-operator@sha256:48a73c9e0491f2f9bb109e15fea89ebd65939ed9bcfced506e006f23bbe9f64e_ppc64le",
"relates_to_product_reference": "Red Hat OpenShift AI 3.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/rhoai/odh-rhel9-operator@sha256:5b0afdcb5c35d4c55847e1eb2967056ef9f508549f40028d6a6d2b41f6e70fe6_amd64 as a component of Red Hat OpenShift AI 3.3",
"product_id": "Red Hat OpenShift AI 3.3:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:5b0afdcb5c35d4c55847e1eb2967056ef9f508549f40028d6a6d2b41f6e70fe6_amd64"
},
"product_reference": "registry.redhat.io/rhoai/odh-rhel9-operator@sha256:5b0afdcb5c35d4c55847e1eb2967056ef9f508549f40028d6a6d2b41f6e70fe6_amd64",
"relates_to_product_reference": "Red Hat OpenShift AI 3.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/rhoai/odh-rhel9-operator@sha256:f7788f465a7f7d03b8ac7b1de0994e99eb95693f78120856420e7d2426a3c466_s390x as a component of Red Hat OpenShift AI 3.3",
"product_id": "Red Hat OpenShift AI 3.3:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:f7788f465a7f7d03b8ac7b1de0994e99eb95693f78120856420e7d2426a3c466_s390x"
},
"product_reference": "registry.redhat.io/rhoai/odh-rhel9-operator@sha256:f7788f465a7f7d03b8ac7b1de0994e99eb95693f78120856420e7d2426a3c466_s390x",
"relates_to_product_reference": "Red Hat OpenShift AI 3.3"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2026-35029",
"cwe": {
"id": "CWE-425",
"name": "Direct Request (\u0027Forced Browsing\u0027)"
},
"discovery_date": "2026-04-06T17:01:57.502231+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"Red Hat OpenShift AI 3.3:registry.redhat.io/rhoai/odh-operator-bundle@sha256:163f636a1cbc151572ad0470bd5b06650980efd72e6c462cff6ce9ce4bcfaa93_amd64",
"Red Hat OpenShift AI 3.3:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:195a25181e1ff5c73cea1146a339489398cb54618e8cd9d574e90a72a1ff3e11_arm64",
"Red Hat OpenShift AI 3.3:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:48a73c9e0491f2f9bb109e15fea89ebd65939ed9bcfced506e006f23bbe9f64e_ppc64le",
"Red Hat OpenShift AI 3.3:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:5b0afdcb5c35d4c55847e1eb2967056ef9f508549f40028d6a6d2b41f6e70fe6_amd64",
"Red Hat OpenShift AI 3.3:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:f7788f465a7f7d03b8ac7b1de0994e99eb95693f78120856420e7d2426a3c466_s390x"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2455474"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in LiteLLM, an AI Gateway proxy server. An authenticated user can exploit a missing authorization check on the `/config/update` endpoint. This allows the user to modify proxy configurations and environment variables, leading to remote code execution by registering custom endpoint handlers. Additionally, this vulnerability enables unauthorized reading of server files and potential takeover of privileged accounts through environment variable manipulation.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "litellm: LiteLLM: Remote code execution and privilege escalation via unrestricted proxy configuration endpoint",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This Important flaw in LiteLLM allows an authenticated user to bypass authorization on the `/config/update` endpoint. This enables modification of proxy configurations and environment variables, leading to remote code execution, unauthorized file access, and potential account takeover. Red Hat Ansible Automation Platform, Lightspeed Core, and Red Hat OpenShift AI are affected.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat OpenShift AI 3.3:registry.redhat.io/rhoai/odh-llama-stack-core-rhel9@sha256:b6ec1fac474c9ff596322446656add0ebb10c449d623c37a3f71548957dc4c9c_amd64",
"Red Hat OpenShift AI 3.3:registry.redhat.io/rhoai/odh-llama-stack-core-rhel9@sha256:ee821288511aaf6e91080f8a925a425e5d26eeacc73f042b39469c65c2e7a139_arm64"
],
"known_not_affected": [
"Red Hat OpenShift AI 3.3:registry.redhat.io/rhoai/odh-operator-bundle@sha256:163f636a1cbc151572ad0470bd5b06650980efd72e6c462cff6ce9ce4bcfaa93_amd64",
"Red Hat OpenShift AI 3.3:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:195a25181e1ff5c73cea1146a339489398cb54618e8cd9d574e90a72a1ff3e11_arm64",
"Red Hat OpenShift AI 3.3:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:48a73c9e0491f2f9bb109e15fea89ebd65939ed9bcfced506e006f23bbe9f64e_ppc64le",
"Red Hat OpenShift AI 3.3:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:5b0afdcb5c35d4c55847e1eb2967056ef9f508549f40028d6a6d2b41f6e70fe6_amd64",
"Red Hat OpenShift AI 3.3:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:f7788f465a7f7d03b8ac7b1de0994e99eb95693f78120856420e7d2426a3c466_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-35029"
},
{
"category": "external",
"summary": "RHBZ#2455474",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2455474"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-35029",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-35029"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-35029",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35029"
},
{
"category": "external",
"summary": "https://github.com/BerriAI/litellm/security/advisories/GHSA-53mr-6c8q-9789",
"url": "https://github.com/BerriAI/litellm/security/advisories/GHSA-53mr-6c8q-9789"
}
],
"release_date": "2026-04-06T16:35:28.974000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-25T18:09:56+00:00",
"details": "For Red Hat OpenShift AI 3.3.4 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this errata update:\n\nhttps://docs.redhat.com/en/documentation/red_hat_openshift_ai/",
"product_ids": [
"Red Hat OpenShift AI 3.3:registry.redhat.io/rhoai/odh-llama-stack-core-rhel9@sha256:b6ec1fac474c9ff596322446656add0ebb10c449d623c37a3f71548957dc4c9c_amd64",
"Red Hat OpenShift AI 3.3:registry.redhat.io/rhoai/odh-llama-stack-core-rhel9@sha256:ee821288511aaf6e91080f8a925a425e5d26eeacc73f042b39469c65c2e7a139_arm64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:30056"
},
{
"category": "workaround",
"details": "Limit network access to the LiteLLM service to trusted networks or hosts only. Implement firewall rules to restrict inbound connections to the LiteLLM service\u0027s port, ensuring that only authorized systems can reach the service. This reduces the exposure of the `/config/update` endpoint to unauthorized authenticated users.",
"product_ids": [
"Red Hat OpenShift AI 3.3:registry.redhat.io/rhoai/odh-llama-stack-core-rhel9@sha256:b6ec1fac474c9ff596322446656add0ebb10c449d623c37a3f71548957dc4c9c_amd64",
"Red Hat OpenShift AI 3.3:registry.redhat.io/rhoai/odh-llama-stack-core-rhel9@sha256:ee821288511aaf6e91080f8a925a425e5d26eeacc73f042b39469c65c2e7a139_arm64",
"Red Hat OpenShift AI 3.3:registry.redhat.io/rhoai/odh-operator-bundle@sha256:163f636a1cbc151572ad0470bd5b06650980efd72e6c462cff6ce9ce4bcfaa93_amd64",
"Red Hat OpenShift AI 3.3:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:195a25181e1ff5c73cea1146a339489398cb54618e8cd9d574e90a72a1ff3e11_arm64",
"Red Hat OpenShift AI 3.3:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:48a73c9e0491f2f9bb109e15fea89ebd65939ed9bcfced506e006f23bbe9f64e_ppc64le",
"Red Hat OpenShift AI 3.3:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:5b0afdcb5c35d4c55847e1eb2967056ef9f508549f40028d6a6d2b41f6e70fe6_amd64",
"Red Hat OpenShift AI 3.3:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:f7788f465a7f7d03b8ac7b1de0994e99eb95693f78120856420e7d2426a3c466_s390x"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"Red Hat OpenShift AI 3.3:registry.redhat.io/rhoai/odh-llama-stack-core-rhel9@sha256:b6ec1fac474c9ff596322446656add0ebb10c449d623c37a3f71548957dc4c9c_amd64",
"Red Hat OpenShift AI 3.3:registry.redhat.io/rhoai/odh-llama-stack-core-rhel9@sha256:ee821288511aaf6e91080f8a925a425e5d26eeacc73f042b39469c65c2e7a139_arm64",
"Red Hat OpenShift AI 3.3:registry.redhat.io/rhoai/odh-operator-bundle@sha256:163f636a1cbc151572ad0470bd5b06650980efd72e6c462cff6ce9ce4bcfaa93_amd64",
"Red Hat OpenShift AI 3.3:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:195a25181e1ff5c73cea1146a339489398cb54618e8cd9d574e90a72a1ff3e11_arm64",
"Red Hat OpenShift AI 3.3:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:48a73c9e0491f2f9bb109e15fea89ebd65939ed9bcfced506e006f23bbe9f64e_ppc64le",
"Red Hat OpenShift AI 3.3:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:5b0afdcb5c35d4c55847e1eb2967056ef9f508549f40028d6a6d2b41f6e70fe6_amd64",
"Red Hat OpenShift AI 3.3:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:f7788f465a7f7d03b8ac7b1de0994e99eb95693f78120856420e7d2426a3c466_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "litellm: LiteLLM: Remote code execution and privilege escalation via unrestricted proxy configuration endpoint"
},
{
"cve": "CVE-2026-35030",
"cwe": {
"id": "CWE-222",
"name": "Truncation of Security-relevant Information"
},
"discovery_date": "2026-04-06T18:01:07.517951+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"Red Hat OpenShift AI 3.3:registry.redhat.io/rhoai/odh-operator-bundle@sha256:163f636a1cbc151572ad0470bd5b06650980efd72e6c462cff6ce9ce4bcfaa93_amd64",
"Red Hat OpenShift AI 3.3:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:195a25181e1ff5c73cea1146a339489398cb54618e8cd9d574e90a72a1ff3e11_arm64",
"Red Hat OpenShift AI 3.3:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:48a73c9e0491f2f9bb109e15fea89ebd65939ed9bcfced506e006f23bbe9f64e_ppc64le",
"Red Hat OpenShift AI 3.3:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:5b0afdcb5c35d4c55847e1eb2967056ef9f508549f40028d6a6d2b41f6e70fe6_amd64",
"Red Hat OpenShift AI 3.3:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:f7788f465a7f7d03b8ac7b1de0994e99eb95693f78120856420e7d2426a3c466_s390x"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2455509"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in LiteLLM, a proxy server for Large Language Model (LLM) APIs. When JSON Web Token (JWT) authentication is enabled, the OIDC user information cache uses a truncated portion of the token as a cache key. An unauthenticated attacker can exploit this by crafting a JWT with the same initial characters as a legitimate user\u0027s cached token. This allows the attacker to bypass authentication and inherit the legitimate user\u0027s identity and permissions, potentially leading to unauthorized access and privilege escalation.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "litellm: LiteLLM: Authentication bypass and privilege escalation via OIDC userinfo cache key collision",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This is an Important flaw in LiteLLM that enables authentication bypass and privilege escalation. The vulnerability is present only when JWT authentication is explicitly enabled, as this configuration is not active by default. Red Hat Ansible Automation Platform, Lightspeed Core, Red Hat OpenShift AI, and Ansible Services are affected if configured with JWT authentication.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat OpenShift AI 3.3:registry.redhat.io/rhoai/odh-llama-stack-core-rhel9@sha256:b6ec1fac474c9ff596322446656add0ebb10c449d623c37a3f71548957dc4c9c_amd64",
"Red Hat OpenShift AI 3.3:registry.redhat.io/rhoai/odh-llama-stack-core-rhel9@sha256:ee821288511aaf6e91080f8a925a425e5d26eeacc73f042b39469c65c2e7a139_arm64"
],
"known_not_affected": [
"Red Hat OpenShift AI 3.3:registry.redhat.io/rhoai/odh-operator-bundle@sha256:163f636a1cbc151572ad0470bd5b06650980efd72e6c462cff6ce9ce4bcfaa93_amd64",
"Red Hat OpenShift AI 3.3:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:195a25181e1ff5c73cea1146a339489398cb54618e8cd9d574e90a72a1ff3e11_arm64",
"Red Hat OpenShift AI 3.3:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:48a73c9e0491f2f9bb109e15fea89ebd65939ed9bcfced506e006f23bbe9f64e_ppc64le",
"Red Hat OpenShift AI 3.3:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:5b0afdcb5c35d4c55847e1eb2967056ef9f508549f40028d6a6d2b41f6e70fe6_amd64",
"Red Hat OpenShift AI 3.3:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:f7788f465a7f7d03b8ac7b1de0994e99eb95693f78120856420e7d2426a3c466_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-35030"
},
{
"category": "external",
"summary": "RHBZ#2455509",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2455509"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-35030",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-35030"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-35030",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35030"
},
{
"category": "external",
"summary": "https://github.com/BerriAI/litellm/security/advisories/GHSA-jjhc-v7c2-5hh6",
"url": "https://github.com/BerriAI/litellm/security/advisories/GHSA-jjhc-v7c2-5hh6"
}
],
"release_date": "2026-04-06T16:47:02.065000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-25T18:09:56+00:00",
"details": "For Red Hat OpenShift AI 3.3.4 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this errata update:\n\nhttps://docs.redhat.com/en/documentation/red_hat_openshift_ai/",
"product_ids": [
"Red Hat OpenShift AI 3.3:registry.redhat.io/rhoai/odh-llama-stack-core-rhel9@sha256:b6ec1fac474c9ff596322446656add0ebb10c449d623c37a3f71548957dc4c9c_amd64",
"Red Hat OpenShift AI 3.3:registry.redhat.io/rhoai/odh-llama-stack-core-rhel9@sha256:ee821288511aaf6e91080f8a925a425e5d26eeacc73f042b39469c65c2e7a139_arm64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:30056"
},
{
"category": "workaround",
"details": "To mitigate this issue, ensure that JWT authentication is not enabled in LiteLLM configurations. The vulnerability only manifests when `enable_jwt_auth` is set to `true`. If JWT authentication is not strictly required, disable it to prevent potential authentication bypass and privilege escalation. If this configuration is changed, a restart of the LiteLLM service may be required for the changes to take effect.",
"product_ids": [
"Red Hat OpenShift AI 3.3:registry.redhat.io/rhoai/odh-llama-stack-core-rhel9@sha256:b6ec1fac474c9ff596322446656add0ebb10c449d623c37a3f71548957dc4c9c_amd64",
"Red Hat OpenShift AI 3.3:registry.redhat.io/rhoai/odh-llama-stack-core-rhel9@sha256:ee821288511aaf6e91080f8a925a425e5d26eeacc73f042b39469c65c2e7a139_arm64",
"Red Hat OpenShift AI 3.3:registry.redhat.io/rhoai/odh-operator-bundle@sha256:163f636a1cbc151572ad0470bd5b06650980efd72e6c462cff6ce9ce4bcfaa93_amd64",
"Red Hat OpenShift AI 3.3:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:195a25181e1ff5c73cea1146a339489398cb54618e8cd9d574e90a72a1ff3e11_arm64",
"Red Hat OpenShift AI 3.3:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:48a73c9e0491f2f9bb109e15fea89ebd65939ed9bcfced506e006f23bbe9f64e_ppc64le",
"Red Hat OpenShift AI 3.3:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:5b0afdcb5c35d4c55847e1eb2967056ef9f508549f40028d6a6d2b41f6e70fe6_amd64",
"Red Hat OpenShift AI 3.3:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:f7788f465a7f7d03b8ac7b1de0994e99eb95693f78120856420e7d2426a3c466_s390x"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"Red Hat OpenShift AI 3.3:registry.redhat.io/rhoai/odh-llama-stack-core-rhel9@sha256:b6ec1fac474c9ff596322446656add0ebb10c449d623c37a3f71548957dc4c9c_amd64",
"Red Hat OpenShift AI 3.3:registry.redhat.io/rhoai/odh-llama-stack-core-rhel9@sha256:ee821288511aaf6e91080f8a925a425e5d26eeacc73f042b39469c65c2e7a139_arm64",
"Red Hat OpenShift AI 3.3:registry.redhat.io/rhoai/odh-operator-bundle@sha256:163f636a1cbc151572ad0470bd5b06650980efd72e6c462cff6ce9ce4bcfaa93_amd64",
"Red Hat OpenShift AI 3.3:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:195a25181e1ff5c73cea1146a339489398cb54618e8cd9d574e90a72a1ff3e11_arm64",
"Red Hat OpenShift AI 3.3:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:48a73c9e0491f2f9bb109e15fea89ebd65939ed9bcfced506e006f23bbe9f64e_ppc64le",
"Red Hat OpenShift AI 3.3:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:5b0afdcb5c35d4c55847e1eb2967056ef9f508549f40028d6a6d2b41f6e70fe6_amd64",
"Red Hat OpenShift AI 3.3:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:f7788f465a7f7d03b8ac7b1de0994e99eb95693f78120856420e7d2426a3c466_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "litellm: LiteLLM: Authentication bypass and privilege escalation via OIDC userinfo cache key collision"
},
{
"cve": "CVE-2026-40217",
"cwe": {
"id": "CWE-94",
"name": "Improper Control of Generation of Code (\u0027Code Injection\u0027)"
},
"discovery_date": "2026-04-10T15:01:29.063442+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"Red Hat OpenShift AI 3.3:registry.redhat.io/rhoai/odh-operator-bundle@sha256:163f636a1cbc151572ad0470bd5b06650980efd72e6c462cff6ce9ce4bcfaa93_amd64",
"Red Hat OpenShift AI 3.3:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:195a25181e1ff5c73cea1146a339489398cb54618e8cd9d574e90a72a1ff3e11_arm64",
"Red Hat OpenShift AI 3.3:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:48a73c9e0491f2f9bb109e15fea89ebd65939ed9bcfced506e006f23bbe9f64e_ppc64le",
"Red Hat OpenShift AI 3.3:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:5b0afdcb5c35d4c55847e1eb2967056ef9f508549f40028d6a6d2b41f6e70fe6_amd64",
"Red Hat OpenShift AI 3.3:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:f7788f465a7f7d03b8ac7b1de0994e99eb95693f78120856420e7d2426a3c466_s390x"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2457301"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in LiteLLM. A remote attacker can exploit this flaw by performing bytecode rewriting at the `/guardrails/test_custom_code` URI. This could lead to arbitrary code execution, allowing the attacker to run malicious code on the affected system.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "LiteLLM: LiteLLM: Arbitrary Code Execution via bytecode rewriting",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat OpenShift AI 3.3:registry.redhat.io/rhoai/odh-llama-stack-core-rhel9@sha256:b6ec1fac474c9ff596322446656add0ebb10c449d623c37a3f71548957dc4c9c_amd64",
"Red Hat OpenShift AI 3.3:registry.redhat.io/rhoai/odh-llama-stack-core-rhel9@sha256:ee821288511aaf6e91080f8a925a425e5d26eeacc73f042b39469c65c2e7a139_arm64"
],
"known_not_affected": [
"Red Hat OpenShift AI 3.3:registry.redhat.io/rhoai/odh-operator-bundle@sha256:163f636a1cbc151572ad0470bd5b06650980efd72e6c462cff6ce9ce4bcfaa93_amd64",
"Red Hat OpenShift AI 3.3:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:195a25181e1ff5c73cea1146a339489398cb54618e8cd9d574e90a72a1ff3e11_arm64",
"Red Hat OpenShift AI 3.3:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:48a73c9e0491f2f9bb109e15fea89ebd65939ed9bcfced506e006f23bbe9f64e_ppc64le",
"Red Hat OpenShift AI 3.3:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:5b0afdcb5c35d4c55847e1eb2967056ef9f508549f40028d6a6d2b41f6e70fe6_amd64",
"Red Hat OpenShift AI 3.3:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:f7788f465a7f7d03b8ac7b1de0994e99eb95693f78120856420e7d2426a3c466_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-40217"
},
{
"category": "external",
"summary": "RHBZ#2457301",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2457301"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-40217",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-40217"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-40217",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-40217"
},
{
"category": "external",
"summary": "https://www.x41-dsec.de/lab/advisories/x41-2026-001-litellm/",
"url": "https://www.x41-dsec.de/lab/advisories/x41-2026-001-litellm/"
}
],
"release_date": "2026-04-10T13:43:23.147000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-25T18:09:56+00:00",
"details": "For Red Hat OpenShift AI 3.3.4 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this errata update:\n\nhttps://docs.redhat.com/en/documentation/red_hat_openshift_ai/",
"product_ids": [
"Red Hat OpenShift AI 3.3:registry.redhat.io/rhoai/odh-llama-stack-core-rhel9@sha256:b6ec1fac474c9ff596322446656add0ebb10c449d623c37a3f71548957dc4c9c_amd64",
"Red Hat OpenShift AI 3.3:registry.redhat.io/rhoai/odh-llama-stack-core-rhel9@sha256:ee821288511aaf6e91080f8a925a425e5d26eeacc73f042b39469c65c2e7a139_arm64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:30056"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat OpenShift AI 3.3:registry.redhat.io/rhoai/odh-llama-stack-core-rhel9@sha256:b6ec1fac474c9ff596322446656add0ebb10c449d623c37a3f71548957dc4c9c_amd64",
"Red Hat OpenShift AI 3.3:registry.redhat.io/rhoai/odh-llama-stack-core-rhel9@sha256:ee821288511aaf6e91080f8a925a425e5d26eeacc73f042b39469c65c2e7a139_arm64",
"Red Hat OpenShift AI 3.3:registry.redhat.io/rhoai/odh-operator-bundle@sha256:163f636a1cbc151572ad0470bd5b06650980efd72e6c462cff6ce9ce4bcfaa93_amd64",
"Red Hat OpenShift AI 3.3:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:195a25181e1ff5c73cea1146a339489398cb54618e8cd9d574e90a72a1ff3e11_arm64",
"Red Hat OpenShift AI 3.3:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:48a73c9e0491f2f9bb109e15fea89ebd65939ed9bcfced506e006f23bbe9f64e_ppc64le",
"Red Hat OpenShift AI 3.3:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:5b0afdcb5c35d4c55847e1eb2967056ef9f508549f40028d6a6d2b41f6e70fe6_amd64",
"Red Hat OpenShift AI 3.3:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:f7788f465a7f7d03b8ac7b1de0994e99eb95693f78120856420e7d2426a3c466_s390x"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"Red Hat OpenShift AI 3.3:registry.redhat.io/rhoai/odh-llama-stack-core-rhel9@sha256:b6ec1fac474c9ff596322446656add0ebb10c449d623c37a3f71548957dc4c9c_amd64",
"Red Hat OpenShift AI 3.3:registry.redhat.io/rhoai/odh-llama-stack-core-rhel9@sha256:ee821288511aaf6e91080f8a925a425e5d26eeacc73f042b39469c65c2e7a139_arm64",
"Red Hat OpenShift AI 3.3:registry.redhat.io/rhoai/odh-operator-bundle@sha256:163f636a1cbc151572ad0470bd5b06650980efd72e6c462cff6ce9ce4bcfaa93_amd64",
"Red Hat OpenShift AI 3.3:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:195a25181e1ff5c73cea1146a339489398cb54618e8cd9d574e90a72a1ff3e11_arm64",
"Red Hat OpenShift AI 3.3:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:48a73c9e0491f2f9bb109e15fea89ebd65939ed9bcfced506e006f23bbe9f64e_ppc64le",
"Red Hat OpenShift AI 3.3:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:5b0afdcb5c35d4c55847e1eb2967056ef9f508549f40028d6a6d2b41f6e70fe6_amd64",
"Red Hat OpenShift AI 3.3:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:f7788f465a7f7d03b8ac7b1de0994e99eb95693f78120856420e7d2426a3c466_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "LiteLLM: LiteLLM: Arbitrary Code Execution via bytecode rewriting"
},
{
"cve": "CVE-2026-42271",
"cwe": {
"id": "CWE-78",
"name": "Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)"
},
"discovery_date": "2026-05-08T04:02:12.169174+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"Red Hat OpenShift AI 3.3:registry.redhat.io/rhoai/odh-operator-bundle@sha256:163f636a1cbc151572ad0470bd5b06650980efd72e6c462cff6ce9ce4bcfaa93_amd64",
"Red Hat OpenShift AI 3.3:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:195a25181e1ff5c73cea1146a339489398cb54618e8cd9d574e90a72a1ff3e11_arm64",
"Red Hat OpenShift AI 3.3:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:48a73c9e0491f2f9bb109e15fea89ebd65939ed9bcfced506e006f23bbe9f64e_ppc64le",
"Red Hat OpenShift AI 3.3:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:5b0afdcb5c35d4c55847e1eb2967056ef9f508549f40028d6a6d2b41f6e70fe6_amd64",
"Red Hat OpenShift AI 3.3:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:f7788f465a7f7d03b8ac7b1de0994e99eb95693f78120856420e7d2426a3c466_s390x"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2467924"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in LiteLLM, a proxy server (AI Gateway) for Large Language Model (LLM) APIs. Two endpoints, used for previewing an MCP server before saving it, accepted a full server configuration including command execution parameters. An authenticated user, even with low-privilege internal-user keys, could exploit this by sending a crafted configuration. This allows for arbitrary command execution on the proxy host with the privileges of the proxy process.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "litellm: LiteLLM: Authenticated command execution via MCP stdio test endpoints",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This is an Important flaw affecting LiteLLM, as deployed in Red Hat products like Ansible Automation Platform and OpenShift AI. Authenticated users, even with low-privilege API keys, can execute arbitrary commands on the proxy host. This is due to insufficient role checks on specific endpoints that accept server configurations with command execution parameters.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat OpenShift AI 3.3:registry.redhat.io/rhoai/odh-llama-stack-core-rhel9@sha256:b6ec1fac474c9ff596322446656add0ebb10c449d623c37a3f71548957dc4c9c_amd64",
"Red Hat OpenShift AI 3.3:registry.redhat.io/rhoai/odh-llama-stack-core-rhel9@sha256:ee821288511aaf6e91080f8a925a425e5d26eeacc73f042b39469c65c2e7a139_arm64"
],
"known_not_affected": [
"Red Hat OpenShift AI 3.3:registry.redhat.io/rhoai/odh-operator-bundle@sha256:163f636a1cbc151572ad0470bd5b06650980efd72e6c462cff6ce9ce4bcfaa93_amd64",
"Red Hat OpenShift AI 3.3:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:195a25181e1ff5c73cea1146a339489398cb54618e8cd9d574e90a72a1ff3e11_arm64",
"Red Hat OpenShift AI 3.3:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:48a73c9e0491f2f9bb109e15fea89ebd65939ed9bcfced506e006f23bbe9f64e_ppc64le",
"Red Hat OpenShift AI 3.3:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:5b0afdcb5c35d4c55847e1eb2967056ef9f508549f40028d6a6d2b41f6e70fe6_amd64",
"Red Hat OpenShift AI 3.3:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:f7788f465a7f7d03b8ac7b1de0994e99eb95693f78120856420e7d2426a3c466_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-42271"
},
{
"category": "external",
"summary": "RHBZ#2467924",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2467924"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-42271",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-42271"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-42271",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42271"
},
{
"category": "external",
"summary": "https://github.com/BerriAI/litellm/releases/tag/v1.83.7-stable",
"url": "https://github.com/BerriAI/litellm/releases/tag/v1.83.7-stable"
},
{
"category": "external",
"summary": "https://github.com/BerriAI/litellm/security/advisories/GHSA-v4p8-mg3p-g94g",
"url": "https://github.com/BerriAI/litellm/security/advisories/GHSA-v4p8-mg3p-g94g"
},
{
"category": "external",
"summary": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog"
}
],
"release_date": "2026-05-08T03:35:16.758000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-25T18:09:56+00:00",
"details": "For Red Hat OpenShift AI 3.3.4 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this errata update:\n\nhttps://docs.redhat.com/en/documentation/red_hat_openshift_ai/",
"product_ids": [
"Red Hat OpenShift AI 3.3:registry.redhat.io/rhoai/odh-llama-stack-core-rhel9@sha256:b6ec1fac474c9ff596322446656add0ebb10c449d623c37a3f71548957dc4c9c_amd64",
"Red Hat OpenShift AI 3.3:registry.redhat.io/rhoai/odh-llama-stack-core-rhel9@sha256:ee821288511aaf6e91080f8a925a425e5d26eeacc73f042b39469c65c2e7a139_arm64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:30056"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"Red Hat OpenShift AI 3.3:registry.redhat.io/rhoai/odh-llama-stack-core-rhel9@sha256:b6ec1fac474c9ff596322446656add0ebb10c449d623c37a3f71548957dc4c9c_amd64",
"Red Hat OpenShift AI 3.3:registry.redhat.io/rhoai/odh-llama-stack-core-rhel9@sha256:ee821288511aaf6e91080f8a925a425e5d26eeacc73f042b39469c65c2e7a139_arm64",
"Red Hat OpenShift AI 3.3:registry.redhat.io/rhoai/odh-operator-bundle@sha256:163f636a1cbc151572ad0470bd5b06650980efd72e6c462cff6ce9ce4bcfaa93_amd64",
"Red Hat OpenShift AI 3.3:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:195a25181e1ff5c73cea1146a339489398cb54618e8cd9d574e90a72a1ff3e11_arm64",
"Red Hat OpenShift AI 3.3:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:48a73c9e0491f2f9bb109e15fea89ebd65939ed9bcfced506e006f23bbe9f64e_ppc64le",
"Red Hat OpenShift AI 3.3:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:5b0afdcb5c35d4c55847e1eb2967056ef9f508549f40028d6a6d2b41f6e70fe6_amd64",
"Red Hat OpenShift AI 3.3:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:f7788f465a7f7d03b8ac7b1de0994e99eb95693f78120856420e7d2426a3c466_s390x"
]
}
],
"threats": [
{
"category": "exploit_status",
"date": "2026-06-08T00:00:00+00:00",
"details": "CISA: https://www.cisa.gov/known-exploited-vulnerabilities-catalog"
},
{
"category": "impact",
"details": "Important"
}
],
"title": "litellm: LiteLLM: Authenticated command execution via MCP stdio test endpoints"
}
]
}
WID-SEC-W-2026-1288
Vulnerability from csaf_certbund - Published: 2026-04-27 22:00 - Updated: 2026-06-08 22:00Summary
LiteLLM: Mehrere Schwachstellen
Severity
Kritisch
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung: LiteLLM ist ein Gateway, das eine einheitliche Schnittstelle für verschiedene Large Language Models (LLMs) bietet.
Angriff: Ein Angreifer kann mehrere Schwachstellen in LiteLLM ausnutzen, um einen SQL-Injection-Angriff durchzuführen und sich unbefugten Zugriff zu verschaffen oder um beliebigen Programmcode mit den Rechten des Dienstes auszuführen
Betroffene Betriebssysteme: - Sonstiges
- UNIX
Affected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Open Source LiteLLM <1.83.7
Open Source / LiteLLM
|
<1.83.7 |
Affected products
Known affected
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Open Source LiteLLM >=1.81.16
Open Source / LiteLLM
|
>=1.81.16 | ||
|
Open Source LiteLLM <1.83.7
Open Source / LiteLLM
|
<1.83.7 |
References
6 references
{
"document": {
"aggregate_severity": {
"text": "kritisch"
},
"category": "csaf_base",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "de-DE",
"notes": [
{
"category": "legal_disclaimer",
"text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
},
{
"category": "description",
"text": "LiteLLM ist ein Gateway, das eine einheitliche Schnittstelle f\u00fcr verschiedene Large Language Models (LLMs) bietet.",
"title": "Produktbeschreibung"
},
{
"category": "summary",
"text": "Ein Angreifer kann mehrere Schwachstellen in LiteLLM ausnutzen, um einen SQL-Injection-Angriff durchzuf\u00fchren und sich unbefugten Zugriff zu verschaffen oder um beliebigen Programmcode mit den Rechten des Dienstes auszuf\u00fchren",
"title": "Angriff"
},
{
"category": "general",
"text": "- Sonstiges\n- UNIX",
"title": "Betroffene Betriebssysteme"
}
],
"publisher": {
"category": "other",
"contact_details": "csaf-provider@cert-bund.de",
"name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
"namespace": "https://www.bsi.bund.de"
},
"references": [
{
"category": "self",
"summary": "WID-SEC-W-2026-1288 - CSAF Version",
"url": "https://wid.cert-bund.de/.well-known/csaf/white/2026/wid-sec-w-2026-1288.json"
},
{
"category": "self",
"summary": "WID-SEC-2026-1288 - Portal Version",
"url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-1288"
},
{
"category": "external",
"summary": "GitHub Vulnerability Database vom 2026-04-27",
"url": "https://github.com/BerriAI/litellm/security/advisories/GHSA-r75f-5x8p-qvmc"
},
{
"category": "external",
"summary": "Sysdig Blog vom 2026-04-27",
"url": "https://webflow.sysdig.com/blog/cve-2026-42208-targeted-sql-injection-against-litellms-authentication-path-discovered-36-hours-following-vulnerability-disclosure"
},
{
"category": "external",
"summary": "GitHub Vulnerability Database vom 2026-04-27",
"url": "https://github.com/BerriAI/litellm/security/advisories/GHSA-v4p8-mg3p-g94g"
},
{
"category": "external",
"summary": "Exploit CVE-2026-42271 vom 2026-06-08",
"url": "https://www.cisa.gov/news-events/alerts/2026/06/08/cisa-adds-two-known-exploited-vulnerabilities-catalog"
}
],
"source_lang": "en-US",
"title": "LiteLLM: Mehrere Schwachstellen",
"tracking": {
"current_release_date": "2026-06-08T22:00:00.000+00:00",
"generator": {
"date": "2026-06-09T11:10:58.406+00:00",
"engine": {
"name": "BSI-WID",
"version": "1.6.0"
}
},
"id": "WID-SEC-W-2026-1288",
"initial_release_date": "2026-04-27T22:00:00.000+00:00",
"revision_history": [
{
"date": "2026-04-27T22:00:00.000+00:00",
"number": "1",
"summary": "Initiale Fassung"
},
{
"date": "2026-05-07T22:00:00.000+00:00",
"number": "2",
"summary": "Referenz(en) aufgenommen: EUVD-2026-28503, EUVD-2026-28507"
},
{
"date": "2026-06-08T22:00:00.000+00:00",
"number": "3",
"summary": "CVE-2026-42271 Exploit"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "\u003e=1.81.16",
"product": {
"name": "Open Source LiteLLM \u003e=1.81.16",
"product_id": "T053363"
}
},
{
"category": "product_version_range",
"name": "\u003e=1.81.16",
"product": {
"name": "Open Source LiteLLM \u003e=1.81.16",
"product_id": "T053363-fixed"
}
},
{
"category": "product_version_range",
"name": "\u003c1.83.7",
"product": {
"name": "Open Source LiteLLM \u003c1.83.7",
"product_id": "T053364"
}
},
{
"category": "product_version",
"name": "1.83.7",
"product": {
"name": "Open Source LiteLLM 1.83.7",
"product_id": "T053364-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:litellm:litellm:1.83.7"
}
}
},
{
"category": "product_version_range",
"name": "\u003e=1.74.2",
"product": {
"name": "Open Source LiteLLM \u003e=1.74.2",
"product_id": "T053371"
}
},
{
"category": "product_version_range",
"name": "\u003e=1.74.2",
"product": {
"name": "Open Source LiteLLM \u003e=1.74.2",
"product_id": "T053371-fixed"
}
}
],
"category": "product_name",
"name": "LiteLLM"
}
],
"category": "vendor",
"name": "Open Source"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2026-42208",
"product_status": {
"known_affected": [
"T053364"
]
},
"release_date": "2026-04-27T22:00:00.000+00:00",
"title": "CVE-2026-42208"
},
{
"cve": "CVE-2026-42271",
"product_status": {
"known_affected": [
"T053363",
"T053364"
]
},
"release_date": "2026-04-27T22:00:00.000+00:00",
"title": "CVE-2026-42271"
}
]
}
Loading…
Trend slope:
-
(linear fit over daily sighting counts)
Show additional events:
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…