Litellm

A remote, authenticated attacker can exploit multiple vulnerabilities in LiteLLM to escalate their privileges.

A command injection vulnerability exists in LiteLLM versions 1.74.2 to < 1.83.7, allowing authenticated users with a valid API key to execute arbitrary OS commands as root via the MCP stdio transport through the `POST /mcp-rest/test/connection` and `POST /mcp-rest/test/tools/list` endpoints, especially in default Docker deployments, and a public exploit is available.

A remote, authenticated attacker can exploit a vulnerability in LiteLLM to execute arbitrary program code and disclose sensitive information.

Multiple vulnerabilities in LiteLLM could allow an attacker to perform a SQL injection attack and gain unauthorized access or execute arbitrary code with the privileges of the service.

VECT 2.0 ransomware, a RaaS offering, permanently destroys large files due to an encryption flaw, discarding decryption nonces for files above 128 KB, rendering them unrecoverable and effectively acting as a wiper; it uses raw ChaCha20-IETF with no authentication.

The April 2026 Red Canary Intelligence Insights highlights the axios npm compromise, TeamPCP's LiteLLM compromise via PyPI, and a surge in Microsoft Teams phishing, leading to RAT deployment, credential harvesting, ransomware deployment, or data theft.

A SQL injection vulnerability exists in LiteLLM versions 1.81.16 to prior to 1.83.7 allowing an unauthenticated attacker to inject SQL queries via a crafted 'Authorization' header, potentially leading to unauthorized data access or modification.

A server-side template injection vulnerability in LiteLLM versions 1.80.5 to before 1.83.7 allows authenticated users to execute arbitrary code within the LiteLLM Proxy process via a crafted prompt template, potentially exposing sensitive information and enabling command execution on the host.

Authenticated users with low-privilege API keys could execute arbitrary commands on the host running LiteLLM via the `/mcp-rest/test/connection` and `/mcp-rest/test/tools/list` endpoints, by submitting a server configuration including command execution parameters.