Cyber Resilience

CVE-2026-35030

CriticalUpdated

Published: 06 April 2026

Published
06 April 2026
Modified
30 June 2026
KEV Added
Patch
CVSS Score v4 9.4 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0040 31.4th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-35030 is a critical-severity Improper Authentication (CWE-287) vulnerability in Litellm Litellm. Its CVSS base score is 9.4 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 31.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

This vulnerability is AI-related — categorised as LLM Application Platforms; in the Other ATLAS/OWASP Terms risk domain.

The strongest mitigations our analysis identified are NIST 800-53 IA-2 (Identification and Authentication (Organizational Users)) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-35030 is a high-severity authentication bypass vulnerability (CVSS 9.1, CWE-287) in LiteLLM, an open-source proxy server and AI gateway for calling LLM APIs in OpenAI or native formats. The issue affects versions prior to 1.83.0 when JWT authentication is explicitly enabled via the `enable_jwt_auth: true` configuration option, which is not enabled by default. In these configurations, the OIDC userinfo cache improperly uses the first 20 characters of the JWT token (`token[:20]`) as the cache key. JWT headers generated by the same signing algorithm produce identical first 20 characters, enabling predictable cache key collisions.

An unauthenticated network attacker can exploit this vulnerability with low complexity and no privileges required by crafting a malicious JWT token whose first 20 characters match those of a legitimate user's cached token. Upon a cache hit, the attacker inherits the legitimate user's identity and associated permissions, potentially gaining unauthorized high-confidentiality and high-integrity access to the LiteLLM proxy and downstream LLM APIs.

The vulnerability is addressed in LiteLLM version 1.83.0, which fixes the cache key generation to prevent collisions. Security practitioners should upgrade to v1.83.0 or later and review configurations to confirm JWT/OIDC authentication usage, as most deployments remain unaffected due to the non-default setting. Additional details are available in the GitHub Security Advisory at https://github.com/BerriAI/litellm/security/advisories/GHSA-jjhc-v7c2-5hh6.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. Prior to 1.83.0, when JWT authentication is enabled (enable_jwt_auth: true), the OIDC userinfo cache uses token[:20] as the cache key. JWT headers produced by…

more

the same signing algorithm generate identical first 20 characters. This configuration option is not enabled by default. Most instances are not affected. An unauthenticated attacker can craft a token whose first 20 characters match a legitimate user's cached token. On cache hit, the attacker inherits the legitimate user's identity and permissions. This affects deployments with JWT/OIDC authentication enabled. Fixed in v1.83.0.

CWE(s)

AI Security AnalysisAI

AI Category
LLM Application Platforms
Risk Domain
Other ATLAS/OWASP Terms
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: ai, llm, openai

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The vulnerability is an authentication bypass in a public-facing proxy server (LiteLLM), enabling unauthenticated network attackers to impersonate legitimate users and gain unauthorized access, directly mapping to T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-42208Same product: Litellm Litellm
CVE-2026-40217Same product: Litellm Litellm
CVE-2026-35029Same product: Litellm Litellm
CVE-2026-42271Same product: Litellm Litellm
CVE-2026-47102Same product: Litellm Litellm
CVE-2024-9606Same product: Litellm Litellm
CVE-2026-47101Same product: Litellm Litellm
CVE-2026-44551Shared CWE-287
CVE-2025-1044Shared CWE-287
CVE-2026-1740Shared CWE-287

Affected Assets

litellm
litellm
≤ 1.83.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely identification, reporting, and correction of the specific software flaw in JWT token caching that enables authentication bypass.

prevent

Ensures the system implements robust identification and authentication for users, preventing bypass via flawed OIDC userinfo caching.

prevent

Mandates proper management of JWT authenticators to avoid vulnerabilities in their processing, such as predictable cache key collisions.

References