CVE-2026-35030 Overview
CVE-2026-35030 is a critical authentication bypass vulnerability in LiteLLM, an AI Gateway proxy server used to call LLM APIs in OpenAI (or native) format. When JWT authentication is enabled via the enable_jwt_auth: true configuration option, the OIDC userinfo cache uses an insufficient key derivation scheme that relies on only the first 20 characters of the token (token[:20]). Since JWT headers produced by the same signing algorithm generate identical first 20 characters, an unauthenticated attacker can craft a malicious token that collides with a legitimate user's cached token, effectively inheriting their identity and permissions.
Critical Impact
An unauthenticated attacker can bypass authentication and impersonate any legitimate user by exploiting cache key collisions, gaining unauthorized access to LLM API resources with the victim's full permissions.
Affected Products
- LiteLLM versions prior to 1.83.0
- Deployments with JWT/OIDC authentication enabled (enable_jwt_auth: true)
- LiteLLM proxy server configurations using OIDC userinfo caching
Discovery Timeline
- April 6, 2026 - CVE-2026-35030 published to NVD
- April 7, 2026 - Last updated in NVD database
Technical Details for CVE-2026-35030
Vulnerability Analysis
This vulnerability (CWE-287: Improper Authentication) exists in LiteLLM's OIDC userinfo caching mechanism. When JWT authentication is enabled, the application caches user information to improve performance and reduce redundant calls to the identity provider. However, the cache key derivation algorithm truncates the JWT to its first 20 characters, creating a predictable collision space.
JWT tokens following standard specifications contain a base64-encoded header that includes the signing algorithm and token type. For tokens signed with the same algorithm (e.g., RS256), the header portion is often identical or highly similar. Since the first 20 characters of a JWT typically fall within this header section, multiple distinct tokens can produce the same cache key.
When an attacker sends a crafted token whose first 20 characters match a cached legitimate token, the cache lookup succeeds and returns the legitimate user's identity information. The attacker then inherits all permissions and access rights associated with that user without ever needing valid credentials.
Root Cause
The root cause is an insecure cache key derivation scheme in the OIDC userinfo cache implementation. Using token[:20] as a cache key is fundamentally flawed because JWT headers are highly predictable and often identical across tokens from the same issuer using the same signing algorithm. A cryptographically secure approach would use a hash of the entire token or a unique token identifier (such as the jti claim) as the cache key.
Attack Vector
The attack vector is network-based and requires no authentication or user interaction. An attacker with network access to the LiteLLM proxy can:
- Identify that the target deployment has JWT authentication enabled
- Observe or predict the JWT header format used by legitimate tokens (typically standard across an organization)
- Craft a malicious token with matching first 20 characters
- Send requests to the proxy with the crafted token
- Upon cache hit, gain access with the legitimate user's identity and permissions
The vulnerability allows unauthorized access to any LLM API endpoints protected by the JWT authentication mechanism, potentially exposing sensitive AI workloads and data.
Detection Methods for CVE-2026-35030
Indicators of Compromise
- Unusual authentication patterns with JWT tokens that have identical prefixes but different signatures
- Authentication success events from tokens that fail signature verification
- Multiple user sessions appearing to originate from different tokens with matching cache keys
- Unexpected user activity from accounts that haven't performed active authentication recently
Detection Strategies
- Implement logging for JWT cache hits and misses with full token hashes for correlation
- Monitor for authentication events where token validation status is inconsistent
- Alert on sudden changes in user behavior patterns following cache-based authentication
- Analyze JWT token entropy and header patterns in authentication logs
Monitoring Recommendations
- Enable detailed authentication logging in LiteLLM proxy configurations
- Deploy network monitoring to detect anomalous API access patterns
- Implement user behavior analytics to identify session anomalies
- Review access logs for users gaining access without corresponding identity provider authentication events
How to Mitigate CVE-2026-35030
Immediate Actions Required
- Upgrade LiteLLM to version 1.83.0 or later immediately
- If upgrade is not immediately possible, disable JWT authentication (enable_jwt_auth: false) until patching is complete
- Clear all existing OIDC userinfo caches to invalidate any potentially compromised cached identities
- Review access logs for signs of exploitation and investigate any anomalies
Patch Information
The vulnerability has been fixed in LiteLLM version 1.83.0. Organizations should upgrade to this version or later to address the cache key collision vulnerability. Detailed information about the fix is available in the GitHub Security Advisory GHSA-jjhc-v7c2-5hh6.
Workarounds
- Disable JWT authentication by setting enable_jwt_auth: false in the LiteLLM configuration until the patch can be applied
- Implement additional network-level authentication controls such as mTLS or IP allowlisting to restrict access to the proxy
- Deploy a web application firewall (WAF) with custom rules to validate JWT token integrity before forwarding to LiteLLM
- Consider using alternative authentication mechanisms supported by LiteLLM that do not rely on the vulnerable caching implementation
# Configuration example - Disable JWT authentication until patched
# In your LiteLLM proxy config (config.yaml):
# enable_jwt_auth: false
# Verify LiteLLM version after upgrade
pip show litellm | grep Version
# Expected: Version: 1.83.0 or higher
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
