Bug 2491142 (CVE-2026-12797)

Summary: CVE-2026-12797 litellm: BerriAI litellm: Incorrect authorization via prompt manipulation
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: dschmidt, erezende, ilpinto, jkoehler, jlanda, jwong, kshier, lphiri, ltomasbo, omaciel, simaishi, smcdonal, stcannon, teagle, ttakamiy, yguenane, ykashtan
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in BerriAI litellm. A remote attacker could manipulate the `prompt` argument in the `async_pre_call_hook` function of the Completions Interface component. This manipulation leads to incorrect authorization, potentially allowing the attacker to bypass security controls and perform unauthorized actions within the system. Administrators for the LLM proxy believe their blocklist and content-safety checks are active, but no input validation actually runs.
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2026-06-21 11:01:18 UTC
A security flaw has been discovered in BerriAI litellm up to 1.82.5. Affected is the function async_pre_call_hook of the file enterprise/enterprise_hooks/banned_keywords.py of the component Completions Interface. The manipulation of the argument prompt results in incorrect authorization. The attack may be performed from remote. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure.