CVE-2026-42271: LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. From version 1.74.2 to before vers
Summary
LiteLLM is a proxy server (an intermediary that forwards requests between clients and AI language model APIs) that had a critical vulnerability in versions 1.74.2 through 1.83.6. Two test endpoints allowed users to submit server configurations that could execute arbitrary commands (running any code an attacker wants) on the server itself, as long as they had a valid API key, even a low-privilege one.
Solution / Mitigation
This issue has been patched in version 1.83.7. Users should upgrade to version 1.83.7 or later.
Vulnerability Details
EPSS: 0.0%
May 8, 2026
Classification
Affected Vendors
Related Issues
CVE-2026-34371: LibreChat is a ChatGPT clone with additional features. Prior to 0.8.4, LibreChat trusts the name field returned by the e
CVE-2024-27444: langchain_experimental (aka LangChain Experimental) in LangChain before 0.1.8 allows an attacker to bypass the CVE-2023-
Original source: https://nvd.nist.gov/vuln/detail/CVE-2026-42271
First tracked: May 8, 2026 at 02:12 AM
Classified by LLM (prompt v3) · confidence: 95%