Vulnerability-Lookup

RHSA-2026:28960

Vulnerability from csaf_redhat - Published: 2026-06-24 10:50 - Updated: 2026-06-24 15:36

Summary

Red Hat Security Advisory: RHOAI 2.25.8 - Red Hat OpenShift AI

Severity

Important

Notes

Topic: Updated images are now available for Red Hat OpenShift AI.

Details: Release of RHOAI 2.25.8 provides these changes:

Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

CVE-2026-35029

A flaw was found in LiteLLM, an AI Gateway proxy server. An authenticated user can exploit a missing authorization check on the `/config/update` endpoint. This allows the user to modify proxy configurations and environment variables, leading to remote code execution by registering custom endpoint handlers. Additionally, this vulnerability enables unauthorized reading of server files and potential takeover of privileged accounts through environment variable manipulation.

8.8 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE-425 - Direct Request ('Forced Browsing')

Affected products

Fixed 2 products

Product	Identifier	Version	Remediation
Unresolved product id: Red Hat OpenShift AI 2.25:registry.redhat.io/rhoai/odh-llama-stack-core-rhel9@sha256:59a4a3dc01e258bdd6aa463c8dbb34e14bd1a8357ef6ae3d4ea9e6c8ce062353_arm64		—	Vendor Fix fix Workaround
Unresolved product id: Red Hat OpenShift AI 2.25:registry.redhat.io/rhoai/odh-llama-stack-core-rhel9@sha256:66cc80e961fe991b063dc51467fa901dce3fb2afc383afed1c596ec432363022_amd64		—	Vendor Fix fix Workaround

Known not affected 5 products

Product	Version	Remediation
Unresolved product id: Red Hat OpenShift AI 2.25:registry.redhat.io/rhoai/odh-operator-bundle@sha256:c0d7ed557a77e880b7d78eb3a87a05cadaf8711eea4e024fece782f5a68edebe_amd64	—	Workaround
Unresolved product id: Red Hat OpenShift AI 2.25:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:1fc8714e90d4b7a9ca8e6d9360f692fee9a764d6e556d5241886dbf116df8902_arm64	—	Workaround
Unresolved product id: Red Hat OpenShift AI 2.25:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:227cecaf494ed3999aee9743b93371bd11eebce31538d34bea239133f473e3dd_s390x	—	Workaround
Unresolved product id: Red Hat OpenShift AI 2.25:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:5d74f4badc192e18e4cf8027a2091cf5148f1426e0542bc5d7a5ecaf6dd9cf87_ppc64le	—	Workaround
Unresolved product id: Red Hat OpenShift AI 2.25:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:a2362d90bb91fd360fdbfe760206da6a30024cca09b9839bdbfe0573a3e76ace_amd64	—	Workaround

Threats

Impact Important

CVE-2026-35030

A flaw was found in LiteLLM, a proxy server for Large Language Model (LLM) APIs. When JSON Web Token (JWT) authentication is enabled, the OIDC user information cache uses a truncated portion of the token as a cache key. An unauthenticated attacker can exploit this by crafting a JWT with the same initial characters as a legitimate user's cached token. This allows the attacker to bypass authentication and inherit the legitimate user's identity and permissions, potentially leading to unauthorized access and privilege escalation.

9.1 (Critical)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CWE-222 - Truncation of Security-relevant Information

Affected products

Fixed 2 products

Product	Identifier	Version	Remediation
Unresolved product id: Red Hat OpenShift AI 2.25:registry.redhat.io/rhoai/odh-llama-stack-core-rhel9@sha256:59a4a3dc01e258bdd6aa463c8dbb34e14bd1a8357ef6ae3d4ea9e6c8ce062353_arm64		—	Vendor Fix fix Workaround
Unresolved product id: Red Hat OpenShift AI 2.25:registry.redhat.io/rhoai/odh-llama-stack-core-rhel9@sha256:66cc80e961fe991b063dc51467fa901dce3fb2afc383afed1c596ec432363022_amd64		—	Vendor Fix fix Workaround

Known not affected 5 products

Product	Version	Remediation
Unresolved product id: Red Hat OpenShift AI 2.25:registry.redhat.io/rhoai/odh-operator-bundle@sha256:c0d7ed557a77e880b7d78eb3a87a05cadaf8711eea4e024fece782f5a68edebe_amd64	—	Workaround
Unresolved product id: Red Hat OpenShift AI 2.25:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:1fc8714e90d4b7a9ca8e6d9360f692fee9a764d6e556d5241886dbf116df8902_arm64	—	Workaround
Unresolved product id: Red Hat OpenShift AI 2.25:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:227cecaf494ed3999aee9743b93371bd11eebce31538d34bea239133f473e3dd_s390x	—	Workaround
Unresolved product id: Red Hat OpenShift AI 2.25:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:5d74f4badc192e18e4cf8027a2091cf5148f1426e0542bc5d7a5ecaf6dd9cf87_ppc64le	—	Workaround
Unresolved product id: Red Hat OpenShift AI 2.25:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:a2362d90bb91fd360fdbfe760206da6a30024cca09b9839bdbfe0573a3e76ace_amd64	—	Workaround

Threats

Impact Important

CVE-2026-42271

A flaw was found in LiteLLM, a proxy server (AI Gateway) for Large Language Model (LLM) APIs. Two endpoints, used for previewing an MCP server before saving it, accepted a full server configuration including command execution parameters. An authenticated user, even with low-privilege internal-user keys, could exploit this by sending a crafted configuration. This allows for arbitrary command execution on the proxy host with the privileges of the proxy process.

8.8 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Affected products

Fixed 2 products

Product	Identifier	Version	Remediation
Unresolved product id: Red Hat OpenShift AI 2.25:registry.redhat.io/rhoai/odh-llama-stack-core-rhel9@sha256:59a4a3dc01e258bdd6aa463c8dbb34e14bd1a8357ef6ae3d4ea9e6c8ce062353_arm64		—	Vendor Fix fix
Unresolved product id: Red Hat OpenShift AI 2.25:registry.redhat.io/rhoai/odh-llama-stack-core-rhel9@sha256:66cc80e961fe991b063dc51467fa901dce3fb2afc383afed1c596ec432363022_amd64		—	Vendor Fix fix

Known not affected 5 products

Product	Identifier	Version	Remediation
Unresolved product id: Red Hat OpenShift AI 2.25:registry.redhat.io/rhoai/odh-operator-bundle@sha256:c0d7ed557a77e880b7d78eb3a87a05cadaf8711eea4e024fece782f5a68edebe_amd64		—
Unresolved product id: Red Hat OpenShift AI 2.25:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:1fc8714e90d4b7a9ca8e6d9360f692fee9a764d6e556d5241886dbf116df8902_arm64		—
Unresolved product id: Red Hat OpenShift AI 2.25:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:227cecaf494ed3999aee9743b93371bd11eebce31538d34bea239133f473e3dd_s390x		—
Unresolved product id: Red Hat OpenShift AI 2.25:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:5d74f4badc192e18e4cf8027a2091cf5148f1426e0542bc5d7a5ecaf6dd9cf87_ppc64le		—
Unresolved product id: Red Hat OpenShift AI 2.25:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:a2362d90bb91fd360fdbfe760206da6a30024cca09b9839bdbfe0573a3e76ace_amd64		—

Threats

Exploit Status CISA: https://www.cisa.gov/known-exploited-vulnerabilities-catalog

Impact Important

References

24 references

URL	Category
https://access.redhat.com/errata/RHSA-2026:28960	self
https://access.redhat.com/security/cve/CVE-2026-35029	external
https://access.redhat.com/security/cve/CVE-2026-35030	external
https://access.redhat.com/security/cve/CVE-2026-42271	external
https://access.redhat.com/security/updates/classi…	external
https://docs.redhat.com/en/documentation/red_hat_…	external
https://security.access.redhat.com/data/csaf/v2/a…	self
https://access.redhat.com/security/cve/CVE-2026-35029	self
https://bugzilla.redhat.com/show_bug.cgi?id=2455474	external
https://www.cve.org/CVERecord?id=CVE-2026-35029	external
https://nvd.nist.gov/vuln/detail/CVE-2026-35029	external
https://github.com/BerriAI/litellm/security/advis…	external
https://access.redhat.com/security/cve/CVE-2026-35030	self
https://bugzilla.redhat.com/show_bug.cgi?id=2455509	external
https://www.cve.org/CVERecord?id=CVE-2026-35030	external
https://nvd.nist.gov/vuln/detail/CVE-2026-35030	external
https://github.com/BerriAI/litellm/security/advis…	external
https://access.redhat.com/security/cve/CVE-2026-42271	self
https://bugzilla.redhat.com/show_bug.cgi?id=2467924	external
https://www.cve.org/CVERecord?id=CVE-2026-42271	external
https://nvd.nist.gov/vuln/detail/CVE-2026-42271	external
https://github.com/BerriAI/litellm/releases/tag/v…	external
https://github.com/BerriAI/litellm/security/advis…	external
https://www.cisa.gov/known-exploited-vulnerabilit…	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Important"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "Updated images are now available for Red Hat OpenShift AI.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "Release of RHOAI 2.25.8 provides these changes:",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2026:28960",
        "url": "https://access.redhat.com/errata/RHSA-2026:28960"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/cve/CVE-2026-35029",
        "url": "https://access.redhat.com/security/cve/CVE-2026-35029"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/cve/CVE-2026-35030",
        "url": "https://access.redhat.com/security/cve/CVE-2026-35030"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/cve/CVE-2026-42271",
        "url": "https://access.redhat.com/security/cve/CVE-2026-42271"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/",
        "url": "https://access.redhat.com/security/updates/classification/"
      },
      {
        "category": "external",
        "summary": "https://docs.redhat.com/en/documentation/red_hat_openshift_ai/",
        "url": "https://docs.redhat.com/en/documentation/red_hat_openshift_ai/"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_28960.json"
      }
    ],
    "title": "Red Hat Security Advisory: RHOAI 2.25.8 - Red Hat OpenShift AI",
    "tracking": {
      "current_release_date": "2026-06-24T15:36:57+00:00",
      "generator": {
        "date": "2026-06-24T15:36:57+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "5.0.0"
        }
      },
      "id": "RHSA-2026:28960",
      "initial_release_date": "2026-06-24T10:50:48+00:00",
      "revision_history": [
        {
          "date": "2026-06-24T10:50:48+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2026-06-24T10:50:55+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2026-06-24T15:36:57+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Red Hat OpenShift AI 2.25",
                "product": {
                  "name": "Red Hat OpenShift AI 2.25",
                  "product_id": "Red Hat OpenShift AI 2.25",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:openshift_ai:2.25::el9"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat OpenShift AI"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "registry.redhat.io/rhoai/odh-llama-stack-core-rhel9@sha256:66cc80e961fe991b063dc51467fa901dce3fb2afc383afed1c596ec432363022_amd64",
                "product": {
                  "name": "registry.redhat.io/rhoai/odh-llama-stack-core-rhel9@sha256:66cc80e961fe991b063dc51467fa901dce3fb2afc383afed1c596ec432363022_amd64",
                  "product_id": "registry.redhat.io/rhoai/odh-llama-stack-core-rhel9@sha256:66cc80e961fe991b063dc51467fa901dce3fb2afc383afed1c596ec432363022_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/odh-llama-stack-core-rhel9@sha256%3A66cc80e961fe991b063dc51467fa901dce3fb2afc383afed1c596ec432363022?arch=amd64\u0026repository_url=registry.redhat.io/rhoai/odh-llama-stack-core-rhel9\u0026tag=1781826406"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "registry.redhat.io/rhoai/odh-operator-bundle@sha256:c0d7ed557a77e880b7d78eb3a87a05cadaf8711eea4e024fece782f5a68edebe_amd64",
                "product": {
                  "name": "registry.redhat.io/rhoai/odh-operator-bundle@sha256:c0d7ed557a77e880b7d78eb3a87a05cadaf8711eea4e024fece782f5a68edebe_amd64",
                  "product_id": "registry.redhat.io/rhoai/odh-operator-bundle@sha256:c0d7ed557a77e880b7d78eb3a87a05cadaf8711eea4e024fece782f5a68edebe_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/odh-operator-bundle@sha256%3Ac0d7ed557a77e880b7d78eb3a87a05cadaf8711eea4e024fece782f5a68edebe?arch=amd64\u0026repository_url=registry.redhat.io/rhoai/odh-operator-bundle\u0026tag=1782131953"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "registry.redhat.io/rhoai/odh-rhel9-operator@sha256:a2362d90bb91fd360fdbfe760206da6a30024cca09b9839bdbfe0573a3e76ace_amd64",
                "product": {
                  "name": "registry.redhat.io/rhoai/odh-rhel9-operator@sha256:a2362d90bb91fd360fdbfe760206da6a30024cca09b9839bdbfe0573a3e76ace_amd64",
                  "product_id": "registry.redhat.io/rhoai/odh-rhel9-operator@sha256:a2362d90bb91fd360fdbfe760206da6a30024cca09b9839bdbfe0573a3e76ace_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/odh-rhel9-operator@sha256%3Aa2362d90bb91fd360fdbfe760206da6a30024cca09b9839bdbfe0573a3e76ace?arch=amd64\u0026repository_url=registry.redhat.io/rhoai/odh-rhel9-operator\u0026tag=1782131177"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "amd64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "registry.redhat.io/rhoai/odh-llama-stack-core-rhel9@sha256:59a4a3dc01e258bdd6aa463c8dbb34e14bd1a8357ef6ae3d4ea9e6c8ce062353_arm64",
                "product": {
                  "name": "registry.redhat.io/rhoai/odh-llama-stack-core-rhel9@sha256:59a4a3dc01e258bdd6aa463c8dbb34e14bd1a8357ef6ae3d4ea9e6c8ce062353_arm64",
                  "product_id": "registry.redhat.io/rhoai/odh-llama-stack-core-rhel9@sha256:59a4a3dc01e258bdd6aa463c8dbb34e14bd1a8357ef6ae3d4ea9e6c8ce062353_arm64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/odh-llama-stack-core-rhel9@sha256%3A59a4a3dc01e258bdd6aa463c8dbb34e14bd1a8357ef6ae3d4ea9e6c8ce062353?arch=arm64\u0026repository_url=registry.redhat.io/rhoai/odh-llama-stack-core-rhel9\u0026tag=1781826406"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "registry.redhat.io/rhoai/odh-rhel9-operator@sha256:1fc8714e90d4b7a9ca8e6d9360f692fee9a764d6e556d5241886dbf116df8902_arm64",
                "product": {
                  "name": "registry.redhat.io/rhoai/odh-rhel9-operator@sha256:1fc8714e90d4b7a9ca8e6d9360f692fee9a764d6e556d5241886dbf116df8902_arm64",
                  "product_id": "registry.redhat.io/rhoai/odh-rhel9-operator@sha256:1fc8714e90d4b7a9ca8e6d9360f692fee9a764d6e556d5241886dbf116df8902_arm64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/odh-rhel9-operator@sha256%3A1fc8714e90d4b7a9ca8e6d9360f692fee9a764d6e556d5241886dbf116df8902?arch=arm64\u0026repository_url=registry.redhat.io/rhoai/odh-rhel9-operator\u0026tag=1782131177"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "arm64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "registry.redhat.io/rhoai/odh-rhel9-operator@sha256:5d74f4badc192e18e4cf8027a2091cf5148f1426e0542bc5d7a5ecaf6dd9cf87_ppc64le",
                "product": {
                  "name": "registry.redhat.io/rhoai/odh-rhel9-operator@sha256:5d74f4badc192e18e4cf8027a2091cf5148f1426e0542bc5d7a5ecaf6dd9cf87_ppc64le",
                  "product_id": "registry.redhat.io/rhoai/odh-rhel9-operator@sha256:5d74f4badc192e18e4cf8027a2091cf5148f1426e0542bc5d7a5ecaf6dd9cf87_ppc64le",
                  "product_identification_helper": {
                    "purl": "pkg:oci/odh-rhel9-operator@sha256%3A5d74f4badc192e18e4cf8027a2091cf5148f1426e0542bc5d7a5ecaf6dd9cf87?arch=ppc64le\u0026repository_url=registry.redhat.io/rhoai/odh-rhel9-operator\u0026tag=1782131177"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "ppc64le"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "registry.redhat.io/rhoai/odh-rhel9-operator@sha256:227cecaf494ed3999aee9743b93371bd11eebce31538d34bea239133f473e3dd_s390x",
                "product": {
                  "name": "registry.redhat.io/rhoai/odh-rhel9-operator@sha256:227cecaf494ed3999aee9743b93371bd11eebce31538d34bea239133f473e3dd_s390x",
                  "product_id": "registry.redhat.io/rhoai/odh-rhel9-operator@sha256:227cecaf494ed3999aee9743b93371bd11eebce31538d34bea239133f473e3dd_s390x",
                  "product_identification_helper": {
                    "purl": "pkg:oci/odh-rhel9-operator@sha256%3A227cecaf494ed3999aee9743b93371bd11eebce31538d34bea239133f473e3dd?arch=s390x\u0026repository_url=registry.redhat.io/rhoai/odh-rhel9-operator\u0026tag=1782131177"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "registry.redhat.io/rhoai/odh-llama-stack-core-rhel9@sha256:59a4a3dc01e258bdd6aa463c8dbb34e14bd1a8357ef6ae3d4ea9e6c8ce062353_arm64 as a component of Red Hat OpenShift AI 2.25",
          "product_id": "Red Hat OpenShift AI 2.25:registry.redhat.io/rhoai/odh-llama-stack-core-rhel9@sha256:59a4a3dc01e258bdd6aa463c8dbb34e14bd1a8357ef6ae3d4ea9e6c8ce062353_arm64"
        },
        "product_reference": "registry.redhat.io/rhoai/odh-llama-stack-core-rhel9@sha256:59a4a3dc01e258bdd6aa463c8dbb34e14bd1a8357ef6ae3d4ea9e6c8ce062353_arm64",
        "relates_to_product_reference": "Red Hat OpenShift AI 2.25"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "registry.redhat.io/rhoai/odh-llama-stack-core-rhel9@sha256:66cc80e961fe991b063dc51467fa901dce3fb2afc383afed1c596ec432363022_amd64 as a component of Red Hat OpenShift AI 2.25",
          "product_id": "Red Hat OpenShift AI 2.25:registry.redhat.io/rhoai/odh-llama-stack-core-rhel9@sha256:66cc80e961fe991b063dc51467fa901dce3fb2afc383afed1c596ec432363022_amd64"
        },
        "product_reference": "registry.redhat.io/rhoai/odh-llama-stack-core-rhel9@sha256:66cc80e961fe991b063dc51467fa901dce3fb2afc383afed1c596ec432363022_amd64",
        "relates_to_product_reference": "Red Hat OpenShift AI 2.25"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "registry.redhat.io/rhoai/odh-operator-bundle@sha256:c0d7ed557a77e880b7d78eb3a87a05cadaf8711eea4e024fece782f5a68edebe_amd64 as a component of Red Hat OpenShift AI 2.25",
          "product_id": "Red Hat OpenShift AI 2.25:registry.redhat.io/rhoai/odh-operator-bundle@sha256:c0d7ed557a77e880b7d78eb3a87a05cadaf8711eea4e024fece782f5a68edebe_amd64"
        },
        "product_reference": "registry.redhat.io/rhoai/odh-operator-bundle@sha256:c0d7ed557a77e880b7d78eb3a87a05cadaf8711eea4e024fece782f5a68edebe_amd64",
        "relates_to_product_reference": "Red Hat OpenShift AI 2.25"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "registry.redhat.io/rhoai/odh-rhel9-operator@sha256:1fc8714e90d4b7a9ca8e6d9360f692fee9a764d6e556d5241886dbf116df8902_arm64 as a component of Red Hat OpenShift AI 2.25",
          "product_id": "Red Hat OpenShift AI 2.25:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:1fc8714e90d4b7a9ca8e6d9360f692fee9a764d6e556d5241886dbf116df8902_arm64"
        },
        "product_reference": "registry.redhat.io/rhoai/odh-rhel9-operator@sha256:1fc8714e90d4b7a9ca8e6d9360f692fee9a764d6e556d5241886dbf116df8902_arm64",
        "relates_to_product_reference": "Red Hat OpenShift AI 2.25"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "registry.redhat.io/rhoai/odh-rhel9-operator@sha256:227cecaf494ed3999aee9743b93371bd11eebce31538d34bea239133f473e3dd_s390x as a component of Red Hat OpenShift AI 2.25",
          "product_id": "Red Hat OpenShift AI 2.25:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:227cecaf494ed3999aee9743b93371bd11eebce31538d34bea239133f473e3dd_s390x"
        },
        "product_reference": "registry.redhat.io/rhoai/odh-rhel9-operator@sha256:227cecaf494ed3999aee9743b93371bd11eebce31538d34bea239133f473e3dd_s390x",
        "relates_to_product_reference": "Red Hat OpenShift AI 2.25"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "registry.redhat.io/rhoai/odh-rhel9-operator@sha256:5d74f4badc192e18e4cf8027a2091cf5148f1426e0542bc5d7a5ecaf6dd9cf87_ppc64le as a component of Red Hat OpenShift AI 2.25",
          "product_id": "Red Hat OpenShift AI 2.25:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:5d74f4badc192e18e4cf8027a2091cf5148f1426e0542bc5d7a5ecaf6dd9cf87_ppc64le"
        },
        "product_reference": "registry.redhat.io/rhoai/odh-rhel9-operator@sha256:5d74f4badc192e18e4cf8027a2091cf5148f1426e0542bc5d7a5ecaf6dd9cf87_ppc64le",
        "relates_to_product_reference": "Red Hat OpenShift AI 2.25"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "registry.redhat.io/rhoai/odh-rhel9-operator@sha256:a2362d90bb91fd360fdbfe760206da6a30024cca09b9839bdbfe0573a3e76ace_amd64 as a component of Red Hat OpenShift AI 2.25",
          "product_id": "Red Hat OpenShift AI 2.25:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:a2362d90bb91fd360fdbfe760206da6a30024cca09b9839bdbfe0573a3e76ace_amd64"
        },
        "product_reference": "registry.redhat.io/rhoai/odh-rhel9-operator@sha256:a2362d90bb91fd360fdbfe760206da6a30024cca09b9839bdbfe0573a3e76ace_amd64",
        "relates_to_product_reference": "Red Hat OpenShift AI 2.25"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2026-35029",
      "cwe": {
        "id": "CWE-425",
        "name": "Direct Request (\u0027Forced Browsing\u0027)"
      },
      "discovery_date": "2026-04-06T17:01:57.502231+00:00",
      "flags": [
        {
          "label": "vulnerable_code_not_present",
          "product_ids": [
            "Red Hat OpenShift AI 2.25:registry.redhat.io/rhoai/odh-operator-bundle@sha256:c0d7ed557a77e880b7d78eb3a87a05cadaf8711eea4e024fece782f5a68edebe_amd64",
            "Red Hat OpenShift AI 2.25:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:1fc8714e90d4b7a9ca8e6d9360f692fee9a764d6e556d5241886dbf116df8902_arm64",
            "Red Hat OpenShift AI 2.25:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:227cecaf494ed3999aee9743b93371bd11eebce31538d34bea239133f473e3dd_s390x",
            "Red Hat OpenShift AI 2.25:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:5d74f4badc192e18e4cf8027a2091cf5148f1426e0542bc5d7a5ecaf6dd9cf87_ppc64le",
            "Red Hat OpenShift AI 2.25:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:a2362d90bb91fd360fdbfe760206da6a30024cca09b9839bdbfe0573a3e76ace_amd64"
          ]
        }
      ],
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2455474"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in LiteLLM, an AI Gateway proxy server. An authenticated user can exploit a missing authorization check on the `/config/update` endpoint. This allows the user to modify proxy configurations and environment variables, leading to remote code execution by registering custom endpoint handlers. Additionally, this vulnerability enables unauthorized reading of server files and potential takeover of privileged accounts through environment variable manipulation.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "litellm: LiteLLM: Remote code execution and privilege escalation via unrestricted proxy configuration endpoint",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "This Important flaw in LiteLLM allows an authenticated user to bypass authorization on the `/config/update` endpoint. This enables modification of proxy configurations and environment variables, leading to remote code execution, unauthorized file access, and potential account takeover. Red Hat Ansible Automation Platform, Lightspeed Core, and Red Hat OpenShift AI are affected.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat OpenShift AI 2.25:registry.redhat.io/rhoai/odh-llama-stack-core-rhel9@sha256:59a4a3dc01e258bdd6aa463c8dbb34e14bd1a8357ef6ae3d4ea9e6c8ce062353_arm64",
          "Red Hat OpenShift AI 2.25:registry.redhat.io/rhoai/odh-llama-stack-core-rhel9@sha256:66cc80e961fe991b063dc51467fa901dce3fb2afc383afed1c596ec432363022_amd64"
        ],
        "known_not_affected": [
          "Red Hat OpenShift AI 2.25:registry.redhat.io/rhoai/odh-operator-bundle@sha256:c0d7ed557a77e880b7d78eb3a87a05cadaf8711eea4e024fece782f5a68edebe_amd64",
          "Red Hat OpenShift AI 2.25:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:1fc8714e90d4b7a9ca8e6d9360f692fee9a764d6e556d5241886dbf116df8902_arm64",
          "Red Hat OpenShift AI 2.25:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:227cecaf494ed3999aee9743b93371bd11eebce31538d34bea239133f473e3dd_s390x",
          "Red Hat OpenShift AI 2.25:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:5d74f4badc192e18e4cf8027a2091cf5148f1426e0542bc5d7a5ecaf6dd9cf87_ppc64le",
          "Red Hat OpenShift AI 2.25:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:a2362d90bb91fd360fdbfe760206da6a30024cca09b9839bdbfe0573a3e76ace_amd64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2026-35029"
        },
        {
          "category": "external",
          "summary": "RHBZ#2455474",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2455474"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2026-35029",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-35029"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-35029",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35029"
        },
        {
          "category": "external",
          "summary": "https://github.com/BerriAI/litellm/security/advisories/GHSA-53mr-6c8q-9789",
          "url": "https://github.com/BerriAI/litellm/security/advisories/GHSA-53mr-6c8q-9789"
        }
      ],
      "release_date": "2026-04-06T16:35:28.974000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-06-24T10:50:48+00:00",
          "details": "For Red Hat OpenShift AI 2.25.8 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this errata update:\n\nhttps://docs.redhat.com/en/documentation/red_hat_openshift_ai/",
          "product_ids": [
            "Red Hat OpenShift AI 2.25:registry.redhat.io/rhoai/odh-llama-stack-core-rhel9@sha256:59a4a3dc01e258bdd6aa463c8dbb34e14bd1a8357ef6ae3d4ea9e6c8ce062353_arm64",
            "Red Hat OpenShift AI 2.25:registry.redhat.io/rhoai/odh-llama-stack-core-rhel9@sha256:66cc80e961fe991b063dc51467fa901dce3fb2afc383afed1c596ec432363022_amd64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:28960"
        },
        {
          "category": "workaround",
          "details": "Limit network access to the LiteLLM service to trusted networks or hosts only. Implement firewall rules to restrict inbound connections to the LiteLLM service\u0027s port, ensuring that only authorized systems can reach the service. This reduces the exposure of the `/config/update` endpoint to unauthorized authenticated users.",
          "product_ids": [
            "Red Hat OpenShift AI 2.25:registry.redhat.io/rhoai/odh-llama-stack-core-rhel9@sha256:59a4a3dc01e258bdd6aa463c8dbb34e14bd1a8357ef6ae3d4ea9e6c8ce062353_arm64",
            "Red Hat OpenShift AI 2.25:registry.redhat.io/rhoai/odh-llama-stack-core-rhel9@sha256:66cc80e961fe991b063dc51467fa901dce3fb2afc383afed1c596ec432363022_amd64",
            "Red Hat OpenShift AI 2.25:registry.redhat.io/rhoai/odh-operator-bundle@sha256:c0d7ed557a77e880b7d78eb3a87a05cadaf8711eea4e024fece782f5a68edebe_amd64",
            "Red Hat OpenShift AI 2.25:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:1fc8714e90d4b7a9ca8e6d9360f692fee9a764d6e556d5241886dbf116df8902_arm64",
            "Red Hat OpenShift AI 2.25:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:227cecaf494ed3999aee9743b93371bd11eebce31538d34bea239133f473e3dd_s390x",
            "Red Hat OpenShift AI 2.25:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:5d74f4badc192e18e4cf8027a2091cf5148f1426e0542bc5d7a5ecaf6dd9cf87_ppc64le",
            "Red Hat OpenShift AI 2.25:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:a2362d90bb91fd360fdbfe760206da6a30024cca09b9839bdbfe0573a3e76ace_amd64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "Red Hat OpenShift AI 2.25:registry.redhat.io/rhoai/odh-llama-stack-core-rhel9@sha256:59a4a3dc01e258bdd6aa463c8dbb34e14bd1a8357ef6ae3d4ea9e6c8ce062353_arm64",
            "Red Hat OpenShift AI 2.25:registry.redhat.io/rhoai/odh-llama-stack-core-rhel9@sha256:66cc80e961fe991b063dc51467fa901dce3fb2afc383afed1c596ec432363022_amd64",
            "Red Hat OpenShift AI 2.25:registry.redhat.io/rhoai/odh-operator-bundle@sha256:c0d7ed557a77e880b7d78eb3a87a05cadaf8711eea4e024fece782f5a68edebe_amd64",
            "Red Hat OpenShift AI 2.25:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:1fc8714e90d4b7a9ca8e6d9360f692fee9a764d6e556d5241886dbf116df8902_arm64",
            "Red Hat OpenShift AI 2.25:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:227cecaf494ed3999aee9743b93371bd11eebce31538d34bea239133f473e3dd_s390x",
            "Red Hat OpenShift AI 2.25:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:5d74f4badc192e18e4cf8027a2091cf5148f1426e0542bc5d7a5ecaf6dd9cf87_ppc64le",
            "Red Hat OpenShift AI 2.25:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:a2362d90bb91fd360fdbfe760206da6a30024cca09b9839bdbfe0573a3e76ace_amd64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "litellm: LiteLLM: Remote code execution and privilege escalation via unrestricted proxy configuration endpoint"
    },
    {
      "cve": "CVE-2026-35030",
      "cwe": {
        "id": "CWE-222",
        "name": "Truncation of Security-relevant Information"
      },
      "discovery_date": "2026-04-06T18:01:07.517951+00:00",
      "flags": [
        {
          "label": "vulnerable_code_not_present",
          "product_ids": [
            "Red Hat OpenShift AI 2.25:registry.redhat.io/rhoai/odh-operator-bundle@sha256:c0d7ed557a77e880b7d78eb3a87a05cadaf8711eea4e024fece782f5a68edebe_amd64",
            "Red Hat OpenShift AI 2.25:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:1fc8714e90d4b7a9ca8e6d9360f692fee9a764d6e556d5241886dbf116df8902_arm64",
            "Red Hat OpenShift AI 2.25:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:227cecaf494ed3999aee9743b93371bd11eebce31538d34bea239133f473e3dd_s390x",
            "Red Hat OpenShift AI 2.25:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:5d74f4badc192e18e4cf8027a2091cf5148f1426e0542bc5d7a5ecaf6dd9cf87_ppc64le",
            "Red Hat OpenShift AI 2.25:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:a2362d90bb91fd360fdbfe760206da6a30024cca09b9839bdbfe0573a3e76ace_amd64"
          ]
        }
      ],
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2455509"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in LiteLLM, a proxy server for Large Language Model (LLM) APIs. When JSON Web Token (JWT) authentication is enabled, the OIDC user information cache uses a truncated portion of the token as a cache key. An unauthenticated attacker can exploit this by crafting a JWT with the same initial characters as a legitimate user\u0027s cached token. This allows the attacker to bypass authentication and inherit the legitimate user\u0027s identity and permissions, potentially leading to unauthorized access and privilege escalation.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "litellm: LiteLLM: Authentication bypass and privilege escalation via OIDC userinfo cache key collision",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "This is an Important flaw in LiteLLM that enables authentication bypass and privilege escalation. The vulnerability is present only when JWT authentication is explicitly enabled, as this configuration is not active by default. Red Hat Ansible Automation Platform, Lightspeed Core, Red Hat OpenShift AI, and Ansible Services are affected if configured with JWT authentication.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat OpenShift AI 2.25:registry.redhat.io/rhoai/odh-llama-stack-core-rhel9@sha256:59a4a3dc01e258bdd6aa463c8dbb34e14bd1a8357ef6ae3d4ea9e6c8ce062353_arm64",
          "Red Hat OpenShift AI 2.25:registry.redhat.io/rhoai/odh-llama-stack-core-rhel9@sha256:66cc80e961fe991b063dc51467fa901dce3fb2afc383afed1c596ec432363022_amd64"
        ],
        "known_not_affected": [
          "Red Hat OpenShift AI 2.25:registry.redhat.io/rhoai/odh-operator-bundle@sha256:c0d7ed557a77e880b7d78eb3a87a05cadaf8711eea4e024fece782f5a68edebe_amd64",
          "Red Hat OpenShift AI 2.25:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:1fc8714e90d4b7a9ca8e6d9360f692fee9a764d6e556d5241886dbf116df8902_arm64",
          "Red Hat OpenShift AI 2.25:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:227cecaf494ed3999aee9743b93371bd11eebce31538d34bea239133f473e3dd_s390x",
          "Red Hat OpenShift AI 2.25:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:5d74f4badc192e18e4cf8027a2091cf5148f1426e0542bc5d7a5ecaf6dd9cf87_ppc64le",
          "Red Hat OpenShift AI 2.25:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:a2362d90bb91fd360fdbfe760206da6a30024cca09b9839bdbfe0573a3e76ace_amd64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2026-35030"
        },
        {
          "category": "external",
          "summary": "RHBZ#2455509",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2455509"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2026-35030",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-35030"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-35030",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35030"
        },
        {
          "category": "external",
          "summary": "https://github.com/BerriAI/litellm/security/advisories/GHSA-jjhc-v7c2-5hh6",
          "url": "https://github.com/BerriAI/litellm/security/advisories/GHSA-jjhc-v7c2-5hh6"
        }
      ],
      "release_date": "2026-04-06T16:47:02.065000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-06-24T10:50:48+00:00",
          "details": "For Red Hat OpenShift AI 2.25.8 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this errata update:\n\nhttps://docs.redhat.com/en/documentation/red_hat_openshift_ai/",
          "product_ids": [
            "Red Hat OpenShift AI 2.25:registry.redhat.io/rhoai/odh-llama-stack-core-rhel9@sha256:59a4a3dc01e258bdd6aa463c8dbb34e14bd1a8357ef6ae3d4ea9e6c8ce062353_arm64",
            "Red Hat OpenShift AI 2.25:registry.redhat.io/rhoai/odh-llama-stack-core-rhel9@sha256:66cc80e961fe991b063dc51467fa901dce3fb2afc383afed1c596ec432363022_amd64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:28960"
        },
        {
          "category": "workaround",
          "details": "To mitigate this issue, ensure that JWT authentication is not enabled in LiteLLM configurations. The vulnerability only manifests when `enable_jwt_auth` is set to `true`. If JWT authentication is not strictly required, disable it to prevent potential authentication bypass and privilege escalation. If this configuration is changed, a restart of the LiteLLM service may be required for the changes to take effect.",
          "product_ids": [
            "Red Hat OpenShift AI 2.25:registry.redhat.io/rhoai/odh-llama-stack-core-rhel9@sha256:59a4a3dc01e258bdd6aa463c8dbb34e14bd1a8357ef6ae3d4ea9e6c8ce062353_arm64",
            "Red Hat OpenShift AI 2.25:registry.redhat.io/rhoai/odh-llama-stack-core-rhel9@sha256:66cc80e961fe991b063dc51467fa901dce3fb2afc383afed1c596ec432363022_amd64",
            "Red Hat OpenShift AI 2.25:registry.redhat.io/rhoai/odh-operator-bundle@sha256:c0d7ed557a77e880b7d78eb3a87a05cadaf8711eea4e024fece782f5a68edebe_amd64",
            "Red Hat OpenShift AI 2.25:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:1fc8714e90d4b7a9ca8e6d9360f692fee9a764d6e556d5241886dbf116df8902_arm64",
            "Red Hat OpenShift AI 2.25:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:227cecaf494ed3999aee9743b93371bd11eebce31538d34bea239133f473e3dd_s390x",
            "Red Hat OpenShift AI 2.25:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:5d74f4badc192e18e4cf8027a2091cf5148f1426e0542bc5d7a5ecaf6dd9cf87_ppc64le",
            "Red Hat OpenShift AI 2.25:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:a2362d90bb91fd360fdbfe760206da6a30024cca09b9839bdbfe0573a3e76ace_amd64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 9.1,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
            "version": "3.1"
          },
          "products": [
            "Red Hat OpenShift AI 2.25:registry.redhat.io/rhoai/odh-llama-stack-core-rhel9@sha256:59a4a3dc01e258bdd6aa463c8dbb34e14bd1a8357ef6ae3d4ea9e6c8ce062353_arm64",
            "Red Hat OpenShift AI 2.25:registry.redhat.io/rhoai/odh-llama-stack-core-rhel9@sha256:66cc80e961fe991b063dc51467fa901dce3fb2afc383afed1c596ec432363022_amd64",
            "Red Hat OpenShift AI 2.25:registry.redhat.io/rhoai/odh-operator-bundle@sha256:c0d7ed557a77e880b7d78eb3a87a05cadaf8711eea4e024fece782f5a68edebe_amd64",
            "Red Hat OpenShift AI 2.25:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:1fc8714e90d4b7a9ca8e6d9360f692fee9a764d6e556d5241886dbf116df8902_arm64",
            "Red Hat OpenShift AI 2.25:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:227cecaf494ed3999aee9743b93371bd11eebce31538d34bea239133f473e3dd_s390x",
            "Red Hat OpenShift AI 2.25:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:5d74f4badc192e18e4cf8027a2091cf5148f1426e0542bc5d7a5ecaf6dd9cf87_ppc64le",
            "Red Hat OpenShift AI 2.25:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:a2362d90bb91fd360fdbfe760206da6a30024cca09b9839bdbfe0573a3e76ace_amd64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "litellm: LiteLLM: Authentication bypass and privilege escalation via OIDC userinfo cache key collision"
    },
    {
      "cve": "CVE-2026-42271",
      "cwe": {
        "id": "CWE-78",
        "name": "Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)"
      },
      "discovery_date": "2026-05-08T04:02:12.169174+00:00",
      "flags": [
        {
          "label": "vulnerable_code_not_present",
          "product_ids": [
            "Red Hat OpenShift AI 2.25:registry.redhat.io/rhoai/odh-operator-bundle@sha256:c0d7ed557a77e880b7d78eb3a87a05cadaf8711eea4e024fece782f5a68edebe_amd64",
            "Red Hat OpenShift AI 2.25:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:1fc8714e90d4b7a9ca8e6d9360f692fee9a764d6e556d5241886dbf116df8902_arm64",
            "Red Hat OpenShift AI 2.25:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:227cecaf494ed3999aee9743b93371bd11eebce31538d34bea239133f473e3dd_s390x",
            "Red Hat OpenShift AI 2.25:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:5d74f4badc192e18e4cf8027a2091cf5148f1426e0542bc5d7a5ecaf6dd9cf87_ppc64le",
            "Red Hat OpenShift AI 2.25:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:a2362d90bb91fd360fdbfe760206da6a30024cca09b9839bdbfe0573a3e76ace_amd64"
          ]
        }
      ],
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2467924"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in LiteLLM, a proxy server (AI Gateway) for Large Language Model (LLM) APIs. Two endpoints, used for previewing an MCP server before saving it, accepted a full server configuration including command execution parameters. An authenticated user, even with low-privilege internal-user keys, could exploit this by sending a crafted configuration. This allows for arbitrary command execution on the proxy host with the privileges of the proxy process.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "litellm: LiteLLM: Authenticated command execution via MCP stdio test endpoints",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "This is an Important flaw affecting LiteLLM, as deployed in Red Hat products like Ansible Automation Platform and OpenShift AI. Authenticated users, even with low-privilege API keys, can execute arbitrary commands on the proxy host. This is due to insufficient role checks on specific endpoints that accept server configurations with command execution parameters.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat OpenShift AI 2.25:registry.redhat.io/rhoai/odh-llama-stack-core-rhel9@sha256:59a4a3dc01e258bdd6aa463c8dbb34e14bd1a8357ef6ae3d4ea9e6c8ce062353_arm64",
          "Red Hat OpenShift AI 2.25:registry.redhat.io/rhoai/odh-llama-stack-core-rhel9@sha256:66cc80e961fe991b063dc51467fa901dce3fb2afc383afed1c596ec432363022_amd64"
        ],
        "known_not_affected": [
          "Red Hat OpenShift AI 2.25:registry.redhat.io/rhoai/odh-operator-bundle@sha256:c0d7ed557a77e880b7d78eb3a87a05cadaf8711eea4e024fece782f5a68edebe_amd64",
          "Red Hat OpenShift AI 2.25:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:1fc8714e90d4b7a9ca8e6d9360f692fee9a764d6e556d5241886dbf116df8902_arm64",
          "Red Hat OpenShift AI 2.25:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:227cecaf494ed3999aee9743b93371bd11eebce31538d34bea239133f473e3dd_s390x",
          "Red Hat OpenShift AI 2.25:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:5d74f4badc192e18e4cf8027a2091cf5148f1426e0542bc5d7a5ecaf6dd9cf87_ppc64le",
          "Red Hat OpenShift AI 2.25:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:a2362d90bb91fd360fdbfe760206da6a30024cca09b9839bdbfe0573a3e76ace_amd64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2026-42271"
        },
        {
          "category": "external",
          "summary": "RHBZ#2467924",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2467924"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2026-42271",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-42271"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-42271",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42271"
        },
        {
          "category": "external",
          "summary": "https://github.com/BerriAI/litellm/releases/tag/v1.83.7-stable",
          "url": "https://github.com/BerriAI/litellm/releases/tag/v1.83.7-stable"
        },
        {
          "category": "external",
          "summary": "https://github.com/BerriAI/litellm/security/advisories/GHSA-v4p8-mg3p-g94g",
          "url": "https://github.com/BerriAI/litellm/security/advisories/GHSA-v4p8-mg3p-g94g"
        },
        {
          "category": "external",
          "summary": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
          "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog"
        }
      ],
      "release_date": "2026-05-08T03:35:16.758000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-06-24T10:50:48+00:00",
          "details": "For Red Hat OpenShift AI 2.25.8 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this errata update:\n\nhttps://docs.redhat.com/en/documentation/red_hat_openshift_ai/",
          "product_ids": [
            "Red Hat OpenShift AI 2.25:registry.redhat.io/rhoai/odh-llama-stack-core-rhel9@sha256:59a4a3dc01e258bdd6aa463c8dbb34e14bd1a8357ef6ae3d4ea9e6c8ce062353_arm64",
            "Red Hat OpenShift AI 2.25:registry.redhat.io/rhoai/odh-llama-stack-core-rhel9@sha256:66cc80e961fe991b063dc51467fa901dce3fb2afc383afed1c596ec432363022_amd64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:28960"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "Red Hat OpenShift AI 2.25:registry.redhat.io/rhoai/odh-llama-stack-core-rhel9@sha256:59a4a3dc01e258bdd6aa463c8dbb34e14bd1a8357ef6ae3d4ea9e6c8ce062353_arm64",
            "Red Hat OpenShift AI 2.25:registry.redhat.io/rhoai/odh-llama-stack-core-rhel9@sha256:66cc80e961fe991b063dc51467fa901dce3fb2afc383afed1c596ec432363022_amd64",
            "Red Hat OpenShift AI 2.25:registry.redhat.io/rhoai/odh-operator-bundle@sha256:c0d7ed557a77e880b7d78eb3a87a05cadaf8711eea4e024fece782f5a68edebe_amd64",
            "Red Hat OpenShift AI 2.25:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:1fc8714e90d4b7a9ca8e6d9360f692fee9a764d6e556d5241886dbf116df8902_arm64",
            "Red Hat OpenShift AI 2.25:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:227cecaf494ed3999aee9743b93371bd11eebce31538d34bea239133f473e3dd_s390x",
            "Red Hat OpenShift AI 2.25:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:5d74f4badc192e18e4cf8027a2091cf5148f1426e0542bc5d7a5ecaf6dd9cf87_ppc64le",
            "Red Hat OpenShift AI 2.25:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:a2362d90bb91fd360fdbfe760206da6a30024cca09b9839bdbfe0573a3e76ace_amd64"
          ]
        }
      ],
      "threats": [
        {
          "category": "exploit_status",
          "date": "2026-06-08T00:00:00+00:00",
          "details": "CISA: https://www.cisa.gov/known-exploited-vulnerabilities-catalog"
        },
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "litellm: LiteLLM: Authenticated command execution via MCP stdio test endpoints"
    }
  ]
}

CVE-2026-35029 (GCVE-0-2026-35029)

Vulnerability from cvelistv5 – Published: 2026-04-06 16:35 – Updated: 2026-04-29 19:32

Title

LiteLLM affected by privilege escalation via unrestricted proxy configuration endpoint

Summary

LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. Prior to 1.83.0, the /config/update endpoint does not enforce admin role authorization. A user who is already authenticated into the platform can then use this endpoint to modify proxy configuration and environment variables, register custom pass-through endpoint handlers pointing to attacker-controlled Python code, achieving remote code execution, read arbitrary server files by setting UI_LOGO_PATH and fetching via /get_image, and take over other privileged accounts by overwriting UI_USERNAME and UI_PASSWORD environment variables. Fixed in v1.83.0.

Severity

8.7 (High)


                        
                          CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:N

SSVC

Exploitation: none Automatable: no Technical Impact: total

CISA Coordinator (v2.0.3)

CWE

CWE-863 - Incorrect Authorization

Assigner

GitHub_M

References

2 references

URL	Tags
https://github.com/BerriAI/litellm/security/advis…	x_refsource_CONFIRM
http://seclists.org/fulldisclosure/2026/Apr/17

Impacted products

1 product

Vendor	Product	Version
BerriAI	litellm	Affected: < 1.83.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-35029",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-06T18:41:02.884913Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-06T18:41:19.672Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2026-04-29T19:32:18.471Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "http://seclists.org/fulldisclosure/2026/Apr/17"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "litellm",
          "vendor": "BerriAI",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 1.83.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. Prior to 1.83.0, the /config/update endpoint does not enforce admin role authorization. A user who is already authenticated into the platform can then use this endpoint to modify proxy configuration and environment variables, register custom pass-through endpoint handlers pointing to attacker-controlled Python code, achieving remote code execution, read arbitrary server files by setting UI_LOGO_PATH and fetching via /get_image, and take over other privileged accounts by overwriting UI_USERNAME and UI_PASSWORD environment variables. Fixed in v1.83.0."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 8.7,
            "baseSeverity": "HIGH",
            "privilegesRequired": "LOW",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "LOW",
            "subIntegrityImpact": "LOW",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-863",
              "description": "CWE-863: Incorrect Authorization",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-06T16:45:25.830Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/BerriAI/litellm/security/advisories/GHSA-53mr-6c8q-9789",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/BerriAI/litellm/security/advisories/GHSA-53mr-6c8q-9789"
        }
      ],
      "source": {
        "advisory": "GHSA-53mr-6c8q-9789",
        "discovery": "UNKNOWN"
      },
      "title": "LiteLLM affected by privilege escalation via unrestricted proxy configuration endpoint"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-35029",
    "datePublished": "2026-04-06T16:35:28.974Z",
    "dateReserved": "2026-03-31T21:06:06.427Z",
    "dateUpdated": "2026-04-29T19:32:18.471Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-35030 (GCVE-0-2026-35030)

Vulnerability from cvelistv5 – Published: 2026-04-06 16:47 – Updated: 2026-04-07 14:24

Title

LiteLLM has an authentication bypass via OIDC userinfo cache key collision

Summary

LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. Prior to 1.83.0, when JWT authentication is enabled (enable_jwt_auth: true), the OIDC userinfo cache uses token[:20] as the cache key. JWT headers produced by the same signing algorithm generate identical first 20 characters. This configuration option is not enabled by default. Most instances are not affected. An unauthenticated attacker can craft a token whose first 20 characters match a legitimate user's cached token. On cache hit, the attacker inherits the legitimate user's identity and permissions. This affects deployments with JWT/OIDC authentication enabled. Fixed in v1.83.0.

Severity

9.4 (Critical)


                        
                          CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N

9.1 (Critical)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

SSVC

Exploitation: none Automatable: yes Technical Impact: total

CISA Coordinator (v2.0.3)

CWE

CWE-287 - Improper Authentication

Assigner

GitHub_M

References

1 reference

URL	Tags
https://github.com/BerriAI/litellm/security/advis…	x_refsource_CONFIRM

Impacted products

1 product

Vendor	Product	Version
BerriAI	litellm	Affected: < 1.83.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 9.1,
              "baseSeverity": "CRITICAL",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-35030",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-07T14:24:02.117235Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-07T14:24:34.782Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "litellm",
          "vendor": "BerriAI",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 1.83.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. Prior to 1.83.0, when JWT authentication is enabled (enable_jwt_auth: true), the OIDC userinfo cache uses token[:20] as the cache key. JWT headers produced by the same signing algorithm generate identical first 20 characters. This configuration option is not enabled by default. Most instances are not affected. An unauthenticated attacker can craft a token whose first 20 characters match a legitimate user\u0027s cached token. On cache hit, the attacker inherits the legitimate user\u0027s identity and permissions. This affects deployments with JWT/OIDC authentication enabled. Fixed in v1.83.0."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "PRESENT",
            "attackVector": "NETWORK",
            "baseScore": 9.4,
            "baseSeverity": "CRITICAL",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "HIGH",
            "subIntegrityImpact": "HIGH",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-287",
              "description": "CWE-287: Improper Authentication",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-06T16:47:02.065Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/BerriAI/litellm/security/advisories/GHSA-jjhc-v7c2-5hh6",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/BerriAI/litellm/security/advisories/GHSA-jjhc-v7c2-5hh6"
        }
      ],
      "source": {
        "advisory": "GHSA-jjhc-v7c2-5hh6",
        "discovery": "UNKNOWN"
      },
      "title": "LiteLLM has an authentication bypass via OIDC userinfo cache key collision"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-35030",
    "datePublished": "2026-04-06T16:47:02.065Z",
    "dateReserved": "2026-03-31T21:06:06.427Z",
    "dateUpdated": "2026-04-07T14:24:34.782Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-42271 (GCVE-0-2026-42271)

Vulnerability from cvelistv5 – Published: 2026-05-08 03:35 – Updated: 2026-06-09 03:55

Title

LiteLLM: Authenticated command execution via MCP stdio test endpoints

Summary

LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. From version 1.74.2 to before version 1.83.7, two endpoints used to preview an MCP server before saving it — POST /mcp-rest/test/connection and POST /mcp-rest/test/tools/list — accepted a full server configuration in the request body, including the command, args, and env fields used by the stdio transport. When called with a stdio configuration, the endpoints attempted to connect, which spawned the supplied command as a subprocess on the proxy host with the privileges of the proxy process. The endpoints were gated only by a valid proxy API key, with no role check. Any authenticated user — including holders of low-privilege internal-user keys — could therefore run arbitrary commands on the host. This issue has been patched in version 1.83.7.

Severity

8.7 (High)


                        
                          CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:N/SA:N

SSVC

Exploitation: active Automatable: no Technical Impact: total

CISA Coordinator (v2.0.3)

CWE

CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection')
CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Assigner

GitHub_M

References

3 references

URL	Tags
https://github.com/BerriAI/litellm/security/advis…	x_refsource_CONFIRM
https://github.com/BerriAI/litellm/releases/tag/v…	x_refsource_MISC
https://www.cisa.gov/known-exploited-vulnerabilit…	government-resource

Impacted products

1 product

Vendor	Product	Version
BerriAI	litellm	Affected: >= 1.74.2, < 1.83.7

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-42271",
                "options": [
                  {
                    "Exploitation": "active"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-08T00:00:00+00:00",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          },
          {
            "other": {
              "content": {
                "dateAdded": "2026-06-08",
                "reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-42271"
              },
              "type": "kev"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-09T03:55:26.815Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "government-resource"
            ],
            "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-42271"
          }
        ],
        "timeline": [
          {
            "lang": "en",
            "time": "2026-06-08T00:00:00.000Z",
            "value": "CVE-2026-42271 added to CISA KEV"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "litellm",
          "vendor": "BerriAI",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 1.74.2, \u003c 1.83.7"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. From version 1.74.2 to before version 1.83.7, two endpoints used to preview an MCP server before saving it \u2014 POST /mcp-rest/test/connection and POST /mcp-rest/test/tools/list \u2014 accepted a full server configuration in the request body, including the command, args, and env fields used by the stdio transport. When called with a stdio configuration, the endpoints attempted to connect, which spawned the supplied command as a subprocess on the proxy host with the privileges of the proxy process. The endpoints were gated only by a valid proxy API key, with no role check. Any authenticated user \u2014 including holders of low-privilege internal-user keys \u2014 could therefore run arbitrary commands on the host. This issue has been patched in version 1.83.7."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "PRESENT",
            "attackVector": "NETWORK",
            "baseScore": 8.7,
            "baseSeverity": "HIGH",
            "privilegesRequired": "LOW",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "HIGH",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-77",
              "description": "CWE-77: Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-78",
              "description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-08T03:35:16.758Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/BerriAI/litellm/security/advisories/GHSA-v4p8-mg3p-g94g",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/BerriAI/litellm/security/advisories/GHSA-v4p8-mg3p-g94g"
        },
        {
          "name": "https://github.com/BerriAI/litellm/releases/tag/v1.83.7-stable",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/BerriAI/litellm/releases/tag/v1.83.7-stable"
        }
      ],
      "source": {
        "advisory": "GHSA-v4p8-mg3p-g94g",
        "discovery": "UNKNOWN"
      },
      "title": "LiteLLM: Authenticated command execution via MCP stdio test endpoints"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-42271",
    "datePublished": "2026-05-08T03:35:16.758Z",
    "dateReserved": "2026-04-26T11:53:27.707Z",
    "dateUpdated": "2026-06-09T03:55:26.815Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

RHSA-2026:28960

CVE-2026-35029 (GCVE-0-2026-35029)

CVE-2026-35030 (GCVE-0-2026-35030)

CVE-2026-42271 (GCVE-0-2026-42271)

Tags

Sightings

Nomenclature