CVE-2026-42203
Code Execution in LiteLLM Proxy via Prompt Template
Publication date: 2026-05-08
Last updated on: 2026-05-08
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| berriai | litellm | From 1.80.5 (inc) to 1.83.7 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-1336 | The product uses a template engine to insert or process externally-influenced input, but it does not neutralize or incorrectly neutralizes special elements or syntax that can be interpreted as template expressions or other code directives when processed by the engine. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-42203 is a Server-Side Template Injection vulnerability in the LiteLLM Proxy server, specifically affecting versions from 1.80.5 up to but not including 1.83.7.
The vulnerability exists in the POST /prompts/test endpoint, which accepts user-supplied prompt templates and renders them without proper sandboxing. This means that an attacker who has a valid proxy API key can craft a malicious template that executes arbitrary code inside the LiteLLM Proxy process.
Because the endpoint only requires a valid API key for access, any authenticated user can exploit this flaw to run code, potentially leading to exposure of sensitive environment variables like provider API keys or database credentials, and even execute commands on the host system.
This vulnerability has been fixed in version 1.83.7 by introducing a sandboxed environment that blocks the exploited attributes.
How can this vulnerability impact me? :
This vulnerability can have serious impacts including unauthorized code execution within the LiteLLM Proxy process.
An attacker with a valid API key could exploit this to run arbitrary commands on the host system, potentially compromising the entire server.
Additionally, sensitive information stored in environment variables, such as provider API keys or database credentials, could be exposed to the attacker.
This could lead to further attacks, data breaches, or unauthorized access to other systems connected to the compromised environment.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves identifying if your LiteLLM Proxy instance is running a vulnerable version between 1.80.5 and before 1.83.7 and if the POST /prompts/test endpoint is accessible with a valid proxy API key.
You can check the version of LiteLLM Proxy running on your system by querying the application or checking its version metadata.
To detect exploitation attempts or test for vulnerability, you might attempt to send crafted POST requests to the /prompts/test endpoint using a valid proxy API key and observe if arbitrary code execution or unexpected behavior occurs.
- Use curl or similar tools to send a POST request to the /prompts/test endpoint with a crafted template payload and a valid API key.
- Example command to test endpoint accessibility (replace <API_KEY> and <URL>):
- curl -X POST <URL>/prompts/test -H "Authorization: Bearer <API_KEY>" -d '{"template": "{{7*7}}"}'
If the response evaluates the template (e.g., returns 49), it indicates the endpoint is processing templates and may be vulnerable if running an affected version.
Monitoring logs for unusual POST requests to /prompts/test or unexpected environment variable exposures can also help detect exploitation attempts.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include upgrading LiteLLM Proxy to version 1.83.7 or later, where the vulnerability has been patched by introducing a sandboxed environment that blocks the exploited attributes.
If upgrading immediately is not possible, implement workarounds such as:
- Blocking access to the POST /prompts/test endpoint at a reverse proxy or firewall level to prevent exploitation.
- Rotating API keys to invalidate any potentially compromised keys.
These steps reduce the risk of arbitrary code execution and exposure of sensitive environment variables until a full upgrade can be performed.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows an attacker with a valid proxy API key to execute arbitrary code within the LiteLLM Proxy process, potentially exposing sensitive environment variables such as provider API keys or database credentials.
Exposure of such sensitive information could lead to unauthorized access to personal data or critical systems, which may result in non-compliance with data protection regulations like GDPR or HIPAA that require safeguarding sensitive data.
Therefore, if exploited, this vulnerability could compromise the confidentiality and integrity of sensitive data, impacting compliance with common security and privacy standards.