Executive Summary

CVE-2026-12797 is a security feature bypass vulnerability in the LiteLLM proxy affecting the BannedKeywords and AzureContentSafety guardrails. The problem arises because these security hooks only check for the synchronous call_type value "completion," while HTTP API requests to the /v1/chat/completions endpoint are routed asynchronously with call_type set to "acompletion." Since "acompletion" does not match "completion," the security checks are never triggered, allowing banned keywords or harmful content to bypass filtering entirely.

This vulnerability affects all HTTP API requests in deployments using these guardrails for content moderation in LiteLLM versions up to 1.82.5 and has not been patched. The root cause is an oversight during prior fixes, as other hooks in the codebase have already been updated to handle both call_type values.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows banned keywords or harmful content to bypass the content moderation filters silently. As a result, malicious or inappropriate content can be delivered through the affected system without detection.

The impact is significant because it undermines the intended security posture of the proxy, giving administrators a false sense of protection and potentially exposing users or systems to harmful or unauthorized content.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring HTTP API requests to the /v1/chat/completions endpoint and checking if the security hooks for banned keywords or harmful content are being bypassed due to asynchronous call_type values.

Specifically, look for requests where the call_type is set to "acompletion" instead of "completion," as the security checks only trigger on the latter.

Commands to detect this might include capturing and inspecting HTTP traffic to identify such asynchronous calls that bypass the banned keywords filter.

• Use network traffic analysis tools like tcpdump or Wireshark to capture HTTP requests to /v1/chat/completions.
• Filter captured traffic for HTTP POST requests with JSON payloads containing "call_type": "acompletion".
• Example tcpdump command: tcpdump -i <interface> -A -s 0 'tcp port 80 or tcp port 443' | grep -i '/v1/chat/completions'
• Use tools like jq to parse JSON payloads from logs or captured traffic to identify the call_type field.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include disabling or restricting access to the vulnerable LiteLLM proxy component until a patch is available.

Administrators should review and update the security hooks to handle both synchronous and asynchronous call_type values, ensuring that banned keywords and harmful content filters are applied correctly.

Additionally, monitor and audit API requests to detect any attempts to bypass content moderation.

Since no patch is currently available, consider implementing external filtering or proxying mechanisms to enforce content moderation.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability allows banned keywords or harmful content to bypass filtering entirely in deployments using the affected guardrails for content moderation. As a result, the security posture intended to prevent unauthorized or harmful content is silently undermined, potentially leading to unauthorized data exposure or processing.

Such a failure in content moderation and authorization controls could negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require adequate protection of sensitive data and prevention of unauthorized access or processing.

However, the provided information does not explicitly state the direct effects on compliance with these standards.

Useful 0 Not Useful 0