Bug 2501202 (CVE-2026-30623)
| Summary: | CVE-2026-30623 litellm: LiteLLM: Remote code execution via unvalidated MCP server configuration | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | OSIDB Bzimport <bzimport> |
| Component: | vulnerability | Assignee: | Product Security <prodsec-ir-bot> |
| Status: | NEW --- | QA Contact: | |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | unspecified | CC: | dschmidt, ebourniv, hasun, ilpinto, jlanda, jwong, kshier, lgallett, ltomasbo, nyancey, omaciel, ptisnovs, sbunciak, simaishi, stcannon, teagle, ttakamiy, yguenane, ykashtan |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | --- | |
| Doc Text: |
A flaw was found in LiteLLM. This vulnerability allows a remote attacker to execute arbitrary operating system commands on the host where LiteLLM is running. This is possible because the application's MCP server creation functionality processes JSON configurations that can include unvalidated command and argument values. Successful exploitation could lead to a complete compromise of the affected system.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | --- | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
OSIDB Bzimport
2026-07-15 22:03:01 UTC
|