CVE-2026-42203 Overview
CVE-2026-42203 is a remote code execution vulnerability in LiteLLM, an AI Gateway proxy server used to call large language model (LLM) APIs in OpenAI-compatible format. The flaw affects the POST /prompts/test endpoint, which accepts user-supplied prompt templates and renders them without sandboxing. Any authenticated user holding a valid proxy API key can submit a crafted template that executes arbitrary code inside the LiteLLM Proxy process. The vulnerability impacts versions 1.80.5 through versions prior to 1.83.7 and is tracked under [CWE-1336] (Improper Neutralization of Special Elements Used in a Template Engine).
Critical Impact
Authenticated attackers can execute arbitrary code in the LiteLLM Proxy process, exposing provider API keys, database credentials, and host-level command execution.
Affected Products
- LiteLLM versions 1.80.5 through 1.83.6
- LiteLLM Proxy deployments exposing the /prompts/test endpoint
- Self-hosted AI Gateway instances using vulnerable LiteLLM releases
Discovery Timeline
- 2026-05-08 - CVE-2026-42203 published to NVD
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-42203
Vulnerability Analysis
LiteLLM functions as a proxy server that normalizes calls to multiple LLM providers behind a single OpenAI-compatible API. The POST /prompts/test endpoint was introduced to allow users to validate prompt templates before deployment. The endpoint accepts a template string from the request body and renders it server-side using a template engine without applying a sandbox or output filter. An attacker who controls the template body controls the rendering context, which permits execution of arbitrary expressions evaluated by the template engine inside the proxy process.
The endpoint enforces only proxy API key authentication. It performs no role check, no template content validation, and no isolation between the rendering process and the host environment. As a result, any user who can authenticate to the proxy reaches a code execution primitive.
Root Cause
The root cause is unsandboxed evaluation of attacker-controlled template input, classified under [CWE-1336]. The /prompts/test handler passes user input directly to the template renderer, which exposes Python built-ins and module access through standard template features. The trust boundary assumes any API-key holder is benign, which conflicts with multi-tenant deployments where keys are issued broadly to internal teams or downstream applications.
Attack Vector
Exploitation requires network access to the LiteLLM Proxy and a valid API key. The attacker sends an HTTP POST request to /prompts/test containing a template payload that references restricted attributes such as __class__, __mro__, or __subclasses__ to reach os.system or equivalent execution functions. Upon rendering, the proxy process executes the embedded code with the privileges of the LiteLLM service account. Depending on deployment, this exposes provider API keys, database connection strings, and any secrets present in the process environment, and enables arbitrary shell commands on the host.
No verified exploit code is publicly available. Refer to the GitHub Security Advisory GHSA-xqmj-j6mv-4862 for vendor analysis.
Detection Methods for CVE-2026-42203
Indicators of Compromise
- HTTP POST requests to the /prompts/test endpoint containing template syntax such as {{, __class__, __subclasses__, or __import__
- Unexpected child processes spawned by the LiteLLM Proxy process (for example sh, bash, curl, wget, or python)
- Outbound network connections from the LiteLLM host to unknown destinations following /prompts/test activity
- Access to environment files or credential stores by the LiteLLM service account outside normal operation
Detection Strategies
- Inspect proxy access logs for POST /prompts/test requests and correlate with API key identity and source IP address
- Alert on template metacharacters and Python dunder attributes appearing in request bodies to LiteLLM endpoints
- Monitor process lineage from the LiteLLM service for shell or interpreter child processes that deviate from baseline behavior
Monitoring Recommendations
- Forward LiteLLM application logs and host process telemetry to a centralized analytics pipeline for correlation
- Track API key usage patterns and flag accounts that invoke /prompts/test outside of expected development workflows
- Capture egress network traffic from LiteLLM hosts and review for connections to unrecognized external endpoints
How to Mitigate CVE-2026-42203
Immediate Actions Required
- Upgrade LiteLLM to version 1.83.7 or later, which contains the patched /prompts/test handler
- Rotate all provider API keys, database credentials, and secrets that were present in the LiteLLM Proxy environment
- Audit proxy access logs for prior invocations of /prompts/test and investigate any anomalous requests
- Restrict network exposure of the LiteLLM Proxy to trusted internal networks until patching is verified
Patch Information
The vendor released the fix in LiteLLM v1.83.7-stable. Full technical details and the patch reference are available in the GitHub Security Advisory GHSA-xqmj-j6mv-4862.
Workarounds
- Block access to the /prompts/test endpoint at an upstream reverse proxy or web application firewall until the upgrade is applied
- Reduce the population of users holding valid proxy API keys and revoke unused keys to limit the authenticated attack surface
- Run the LiteLLM Proxy as a low-privilege user inside a container with read-only filesystem and minimal egress to constrain post-exploitation impact
# Example NGINX block for the vulnerable endpoint
location = /prompts/test {
return 403;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
