Bug 2467917 (CVE-2026-42203)

Summary: CVE-2026-42203 litellm: LiteLLM: Arbitrary code execution via unsandboxed prompt templates
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: dschmidt, erezende, jkoehler, jlanda, jwong, kshier, lphiri, omaciel, simaishi, smcdonal, stcannon, teagle, ttakamiy, yguenane
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in LiteLLM, an AI Gateway. An authenticated user could exploit this by sending a crafted prompt template to the POST /prompts/test endpoint. The endpoint rendered user-supplied prompt templates without proper sandboxing. This could lead to arbitrary code execution within the LiteLLM Proxy process, potentially exposing sensitive information such as API keys or database credentials, and allowing commands to be run on the host system.
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2026-05-08 04:02:13 UTC
LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. From version 1.80.5 to before version 1.83.7, the POST /prompts/test endpoint accepted user-supplied prompt templates and rendered them without sandboxing. A crafted template could run arbitrary code inside the LiteLLM Proxy process. The endpoint only checks that the caller presents a valid proxy API key, so any authenticated user could reach it. Depending on how the proxy is deployed, this could expose secrets in the process environment (such as provider API keys or database credentials) and allow commands to be run on the host. This issue has been patched in version 1.83.7.