CVE-2026-49468

Description

### Impact A Host-header parsing flaw in the LiteLLM proxy could, under specific conditions, allow unauthenticated access to protected management routes. The auth layer derived the effective route from `request.url.path` in `litellm/proxy/auth/auth_utils.py::get_request_route()`, which Starlette reconstructs from the `Host` header. A crafted `Host` could therefore make the auth gate evaluate a different route from the one FastAPI dispatched. **Most deployments are not affected.** The bypass is blocked by any upstream layer that validates or normalizes `Host`, such as: - a CDN or WAF, such as Cloudflare - a reverse proxy with `server_name` allowlists - a host-based load balancer **LiteLLM Cloud customers are not affected.** ### Patches Fixed in **`1.84.0`**. Upgrade to `1.84.0` or later. No configuration change is required. ### Workarounds If upgrading is not immediately possible, place the proxy behind an upstream component that validates or normalizes the `Host` header before forwarding (a CDN/WAF, a reverse proxy with explicit `server_name` allowlists, or a cloud load balancer with host-based routing rules), or otherwise restrict network access to the proxy listener. ### References - Patched release: [`v1.84.0`](https://github.com/BerriAI/litellm/releases/tag/v1.84.0) **Discovery Credit**: Le The Thang (KCSC) and Kim Ngoc Chung (One Mount Group)

How to fix CVE-2026-49468

To remediate CVE-2026-49468, upgrade the affected package to a fixed version below.

• —upgrade to 1.84.0 or later

Is CVE-2026-49468 being exploited?

No exploitation signal available. Neither CISA KEV nor a current EPSS score has been published for CVE-2026-49468.

Affected packages (1)

• from 0, < 1.84.0

CVSS scores

References (3)

• PATCHgithub.com/BerriAI/litellm
• WEBgithub.com/BerriAI/litellm/releases/tag/v1.84.0
• WEBgithub.com/BerriAI/litellm/security/advisories/GHSA-4xpc-pv4p-pm3w