{"data":{"id":"85e9dc1d-074e-468e-bff2-903d2873233e","title":"GHSA-jjhc-v7c2-5hh6: LiteLLM: Authentication bypass via OIDC userinfo cache key collision","summary":"LiteLLM had a security flaw where JWT authentication (a method to verify user identity using encoded tokens) could be bypassed through a cache key collision. When JWT authentication was enabled, the system only used the first 20 characters of a token as a cache key, and since different tokens from the same signing algorithm could have identical first 20 characters, an attacker could create a fake token matching a legitimate user's cached token and gain their permissions. The flaw only affects deployments with JWT/OIDC authentication explicitly enabled, which is not the default configuration.","solution":"Fixed in v1.83.0, where the cache key now uses the full hash of the JWT token instead of just the first 20 characters. Alternatively, disable OIDC userinfo caching by setting the cache TTL to 0, or disable JWT authentication entirely.","labels":["security"],"sourceUrl":"https://github.com/advisories/GHSA-jjhc-v7c2-5hh6","publishedAt":"2026-04-03T21:59:50.000Z","cveId":"CVE-2026-35030","cweIds":null,"cvssScore":null,"cvssSeverity":"critical","severity":"critical","attackType":["other"],"issueType":"vulnerability","affectedPackages":["litellm@< 1.83.0 (fixed: 1.83.0)"],"affectedVendors":["LangChain"],"affectedVendorsRaw":["LiteLLM"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":"unknown","epssScore":0,"patchAvailable":true,"disclosureDate":"2026-04-03T21:59:50.000Z","capecIds":null,"crossRefCount":0,"attackSophistication":"moderate","impactType":["confidentiality","integrity"],"aiComponentTargeted":"api","llmSpecific":false,"classifierConfidence":0.92,"researchCategory":null,"atlasIds":null}}