Bug 2498192 (CVE-2026-59819)
| Summary: | CVE-2026-59819 litellm: LiteLLM: Information disclosure via local file read in test connection endpoint | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | OSIDB Bzimport <bzimport> |
| Component: | vulnerability | Assignee: | Product Security <prodsec-ir-bot> |
| Status: | NEW --- | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | anpicker, aruklets, bbrownin, bparees, doconnor, dschmidt, ebourniv, hasun, ilpinto, jfula, jlanda, jowilson, jwong, kshier, lgallett, ltomasbo, nyancey, omaciel, ometelka, ptisnovs, sbunciak, simaishi, stcannon, syedriko, teagle, ttakamiy, xdharmai, yguenane, ykashtan |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | --- | |
| Doc Text: |
A flaw was found in LiteLLM, a proxy server for Large Language Model (LLM) APIs. A privileged caller, such as a proxy administrator, with permissions to test model connections, could exploit the /health/test_connection endpoint. By supplying specific environment or OIDC (OpenID Connect) file references, an attacker could read arbitrary files from the local filesystem. This unauthorized file access could lead to information disclosure.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | --- | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
OSIDB Bzimport
2026-07-08 20:01:27 UTC
|