CVE-2026-59819
Received Received - Intake

Path Traversal in LiteLLM Proxy Server

Vulnerability report for CVE-2026-59819, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-08

Last updated on: 2026-07-08

Assigner: GitHub, Inc.

Description

LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. Prior to 1.83.10-stable, LiteLLM's /health/test_connection endpoint resolved request-supplied environment and OIDC file references in litellm_params, allowing a proxy administrator or another privileged caller with permission to test model connections to read files from the local filesystem via an oidc/file/ reference. This issue is fixed in version 1.83.10-stable.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-08
Last Modified
2026-07-08
Generated
2026-07-09
AI Q&A
2026-07-09
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
berriai litellm 1.83.10-stable

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-73 The product allows user input to control or influence paths or file names that are used in filesystem operations.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

This vulnerability allows privileged proxy administrators or callers with permission to read local filesystem files via the /health/test_connection endpoint by exploiting environment and OIDC file references. Since it requires high privileges and is considered a defense-in-depth issue, it primarily poses a risk of unauthorized local file access within trusted administrative contexts.

While the CVE description and resources do not explicitly mention compliance with standards such as GDPR or HIPAA, unauthorized access to local files could potentially expose sensitive data, which may impact compliance with data protection regulations if exploited.

The vulnerability is rated as low severity (CVSS 2.1) and requires privileged access, suggesting that proper access controls and limiting endpoint access to trusted administratorsβ€”as recommendedβ€”can mitigate risks relevant to compliance.

Detection Guidance

This vulnerability involves the /health/test_connection endpoint resolving request-supplied environment and OIDC file references, which can be exploited by privileged callers to read local filesystem files.

To detect this vulnerability on your system, you can check the LiteLLM version running on your server. Versions prior to 1.83.10-stable are vulnerable.

You can also monitor or test access to the /health/test_connection endpoint for attempts to use environment or oidc/file/ references in litellm_params.

  • Check LiteLLM version: Run a command or query to identify the installed LiteLLM version, for example, checking the Docker image tag or the installed package version.
  • Use curl or similar tools to test the /health/test_connection endpoint with crafted parameters to see if environment or oidc/file/ references are resolved. For example:
  • curl -X POST http://<liteLLM-server>/health/test_connection -d '{"litellm_params": {"some_key": "os.environ/SECRET"}}' -H 'Content-Type: application/json'
  • Check server logs for any suspicious access or errors related to the /health/test_connection endpoint.
Mitigation Strategies

The primary mitigation is to upgrade LiteLLM to version 1.83.10-stable or later, where this vulnerability is fixed.

If upgrading immediately is not possible, restrict access to the /health/test_connection endpoint to trusted administrators only to prevent unauthorized exploitation.

Additionally, configure the environment variable LITELLM_OIDC_ALLOWED_CREDENTIAL_DIRS to limit allowed directories for oidc/file/ references, ensuring paths outside these directories are rejected.

Executive Summary

The vulnerability exists in LiteLLM's /health/test_connection endpoint prior to version 1.83.10-stable. This endpoint resolved environment variable and OIDC file references supplied in request parameters, which allowed a proxy administrator or another privileged caller with permission to test model connections to read files from the local filesystem via an oidc/file/ reference.

This means that privileged users could exploit this behavior to access local files on the server that they should not normally be able to read.

The issue was fixed by tightening validation to reject environment variable references in request parameters and enforcing that file paths must reside within allowed credential directories, preventing path traversal or symlink attacks.

Impact Analysis

This vulnerability allows privileged proxy administrators or callers with permission to test model connections to read arbitrary files from the local filesystem by exploiting the /health/test_connection endpoint.

While it requires high privileges and is considered a defense-in-depth issue rather than a cross-tenant privilege bypass, it could lead to unauthorized disclosure of sensitive files if exploited.

The impact is limited by the requirement of privileged access, but it still poses a risk of information leakage within the trusted administrative environment.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-59819. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart