CVE-2026-42203
Undergoing Analysis Undergoing Analysis - In Progress
Code Execution in LiteLLM Proxy via Prompt Template

Publication date: 2026-05-08

Last updated on: 2026-05-08

Assigner: GitHub, Inc.

Description
LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. From version 1.80.5 to before version 1.83.7, the POST /prompts/test endpoint accepted user-supplied prompt templates and rendered them without sandboxing. A crafted template could run arbitrary code inside the LiteLLM Proxy process. The endpoint only checks that the caller presents a valid proxy API key, so any authenticated user could reach it. Depending on how the proxy is deployed, this could expose secrets in the process environment (such as provider API keys or database credentials) and allow commands to be run on the host. This issue has been patched in version 1.83.7.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-08
Last Modified
2026-05-08
Generated
2026-06-19
AI Q&A
2026-05-08
EPSS Evaluated
2026-06-18
NVD
CVE-2026-42203
EUVD
EUVD-2026-28502
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
berriai litellm From 1.80.5 (inc) to 1.83.7 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1336 The product uses a template engine to insert or process externally-influenced input, but it does not neutralize or incorrectly neutralizes special elements or syntax that can be interpreted as template expressions or other code directives when processed by the engine.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-42203 is a Server-Side Template Injection vulnerability in the LiteLLM Proxy server, specifically affecting versions from 1.80.5 up to but not including 1.83.7.

The vulnerability exists in the POST /prompts/test endpoint, which accepts user-supplied prompt templates and renders them without proper sandboxing. This means that an attacker who has a valid proxy API key can craft a malicious template that executes arbitrary code inside the LiteLLM Proxy process.

Because the endpoint only requires a valid API key for access, any authenticated user can exploit this flaw to run code, potentially leading to exposure of sensitive environment variables like provider API keys or database credentials, and even execute commands on the host system.

This vulnerability has been fixed in version 1.83.7 by introducing a sandboxed environment that blocks the exploited attributes.

Impact Analysis

This vulnerability can have serious impacts including unauthorized code execution within the LiteLLM Proxy process.

An attacker with a valid API key could exploit this to run arbitrary commands on the host system, potentially compromising the entire server.

Additionally, sensitive information stored in environment variables, such as provider API keys or database credentials, could be exposed to the attacker.

This could lead to further attacks, data breaches, or unauthorized access to other systems connected to the compromised environment.

Detection Guidance

Detection of this vulnerability involves identifying if your LiteLLM Proxy instance is running a vulnerable version between 1.80.5 and before 1.83.7 and if the POST /prompts/test endpoint is accessible with a valid proxy API key.

You can check the version of LiteLLM Proxy running on your system by querying the application or checking its version metadata.

To detect exploitation attempts or test for vulnerability, you might attempt to send crafted POST requests to the /prompts/test endpoint using a valid proxy API key and observe if arbitrary code execution or unexpected behavior occurs.

  • Use curl or similar tools to send a POST request to the /prompts/test endpoint with a crafted template payload and a valid API key.
  • Example command to test endpoint accessibility (replace <API_KEY> and <URL>):
  • curl -X POST <URL>/prompts/test -H "Authorization: Bearer <API_KEY>" -d '{"template": "{{7*7}}"}'

If the response evaluates the template (e.g., returns 49), it indicates the endpoint is processing templates and may be vulnerable if running an affected version.

Monitoring logs for unusual POST requests to /prompts/test or unexpected environment variable exposures can also help detect exploitation attempts.

Mitigation Strategies

Immediate mitigation steps include upgrading LiteLLM Proxy to version 1.83.7 or later, where the vulnerability has been patched by introducing a sandboxed environment that blocks the exploited attributes.

If upgrading immediately is not possible, implement workarounds such as:

  • Blocking access to the POST /prompts/test endpoint at a reverse proxy or firewall level to prevent exploitation.
  • Rotating API keys to invalidate any potentially compromised keys.

These steps reduce the risk of arbitrary code execution and exposure of sensitive environment variables until a full upgrade can be performed.

Compliance Impact

The vulnerability allows an attacker with a valid proxy API key to execute arbitrary code within the LiteLLM Proxy process, potentially exposing sensitive environment variables such as provider API keys or database credentials.

Exposure of such sensitive information could lead to unauthorized access to personal data or critical systems, which may result in non-compliance with data protection regulations like GDPR or HIPAA that require safeguarding sensitive data.

Therefore, if exploited, this vulnerability could compromise the confidentiality and integrity of sensitive data, impacting compliance with common security and privacy standards.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-42203. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart