{"id":"PYSEC-2026-388","summary":"LiteLLM: Authentication Bypass via Host Header Injection","details":"### Impact\n\nA Host-header parsing flaw in the LiteLLM proxy could, under specific conditions, allow unauthenticated access to protected management routes.\n \nThe auth layer derived the effective route from `request.url.path` in `litellm/proxy/auth/auth_utils.py::get_request_route()`, which Starlette reconstructs from the `Host` header. A crafted `Host` could therefore make the auth gate evaluate a different route from the one FastAPI dispatched.\n \n**Most deployments are not affected.** The bypass is blocked by any upstream layer that validates or normalizes `Host`, such as:\n\n- a CDN or WAF, such as Cloudflare\n - a reverse proxy with `server_name` allowlists\n- a host-based load balancer\n\n **LiteLLM Cloud customers are not affected.**\n\n### Patches\n\nFixed in **`1.84.0`**. Upgrade to `1.84.0` or later. No configuration change is required.\n\n### Workarounds\n \nIf upgrading is not immediately possible, place the proxy behind an upstream component that validates or normalizes the `Host` header before forwarding (a CDN/WAF, a reverse proxy with explicit `server_name` allowlists, or a cloud load balancer with host-based routing rules), or otherwise restrict network access to the proxy listener.\n\n ### References\n\n- Patched release: [`v1.84.0`](https://github.com/BerriAI/litellm/releases/tag/v1.84.0)\n \n**Discovery Credit**: Le The Thang (KCSC) and Kim Ngoc Chung (One Mount Group)","aliases":["CVE-2026-49468","GHSA-4xpc-pv4p-pm3w"],"modified":"2026-06-29T12:15:28.926902596Z","published":"2026-06-29T11:50:52.648950Z","references":[{"type":"WEB","url":"https://github.com/BerriAI/litellm/security/advisories/GHSA-4xpc-pv4p-pm3w"},{"type":"PACKAGE","url":"https://github.com/BerriAI/litellm"},{"type":"WEB","url":"https://github.com/BerriAI/litellm/releases/tag/v1.84.0"},{"type":"PACKAGE","url":"https://pypi.org/project/litellm"},{"type":"ADVISORY","url":"https://github.com/advisories/GHSA-4xpc-pv4p-pm3w"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-49468"}],"affected":[{"package":{"name":"litellm","ecosystem":"PyPI","purl":"pkg:pypi/litellm"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.84.0"}]}],"versions":["0.1.0","0.1.1","0.1.2","0.1.201","0.1.202","0.1.203","0.1.204","0.1.205","0.1.206","0.1.207","0.1.208","0.1.209","0.1.210","0.1.211","0.1.212","0.1.213","0.1.214","0.1.215","0.1.216","0.1.217","0.1.218","0.1.219","0.1.220","0.1.221","0.1.222","0.1.223","0.1.224","0.1.225","0.1.226","0.1.227","0.1.228","0.1.229","0.1.2291","0.1.230","0.1.231","0.1.232","0.1.233","0.1.234","0.1.235","0.1.236","0.1.237","0.1.238","0.1.3","0.1.31","0.1.32","0.1.330","0.1.331","0.1.34","0.1.341","0.1.343","0.1.345","0.1.347","0.1.348","0.1.349","0.1.351","0.1.352","0.1.353","0.1.354","0.1.356","0.1.360","0.1.361","0.1.362","0.1.363","0.1.364","0.1.365","0.1.366","0.1.367","0.1.368","0.1.369","0.1.370","0.1.371","0.1.372","0.1.373","0.1.375","0.1.376","0.1.379","0.1.380","0.1.381","0.1.383","0.1.384","0.1.385","0.1.386","0.1.387","0.1.388","0.1.389","0.1.392","0.1.393","0.1.394","0.1.398","0.1.399","0.1.400","0.1.401","0.1.402","0.1.403","0.1.404","0.1.405","0.1.410","0.1.411","0.1.412","0.1.415","0.1.419","0.1.420","0.1.421","0.1.422","0.1.424","0.1.425","0.1.426","0.1.429","0.1.433","0.1.434","0.1.435","0.1.436","0.1.437","0.1.438","0.1.439","0.1.440","0.1.441","0.1.442","0.1.443","0.1.444","0.1.445","0.1.446","0.1.447","0.1.448","0.1.449","0.1.450","0.1.451","0.1.452","0.1.456","0.1.457","0.1.459","0.1.460","0.1.461","0.1.464","0.1.465","0.1.475","0.1.477","0.1.479","0.1.480","0.1.481","0.1.482","0.1.486","0.1.487","0.1.488","0.1.490","0.1.491","0.1.492","0.1.493","0.1.494","0.1.495","0.1.497","0.1.500","0.1.501","0.1.504","0.1.507","0.1.508","0.1.509","0.1.510","0.1.511","0.1.512","0.1.516","0.1.517","0.1.518","0.1.520","0.1.525","0.1.530","0.1.531","0.1.533","0.1.535","0.1.536","0.1.537","0.1.538","0.1.544","0.1.546","0.1.547","0.1.548","0.1.549","0.1.550","0.1.551","0.1.552","0.1.553","0.1.554","0.1.555","0.1.556","0.1.557","0.1.558","0.1.559","0.1.560","0.1.561","0.1.562","0.1.563","0.1.567","0.1.568","0.1.569","0.1.570","0.1.574","0.1.578","0.1.580","0.1.582","0.1.583","0.1.585","0.1.586","0.1.587","0.1.590","0.1.591","0.1.593","0.1.595","0.1.596","0.1.597","0.1.598","0.1.600","0.1.601","0.1.604","0.1.605","0.1.607","0.1.609","0.1.610","0.1.615","0.1.618","0.1.619","0.1.620","0.1.621","0.1.623","0.1.624","0.1.625","0.1.626","0.1.629","0.1.630","0.1.631","0.1.632","0.1.634","0.1.635","0.1.636","0.1.638","0.1.639","0.1.641","0.1.642","0.1.643","0.1.644","0.1.645","0.1.646","0.1.647","0.1.648","0.1.649","0.1.650","0.1.651","0.1.652","0.1.674","0.1.680","0.1.681","0.1.683","0.1.685","0.1.686","0.1.687","0.1.689","0.1.690","0.1.692","0.1.693","0.1.696","0.1.697","0.1.698","0.1.700","0.1.700.dev0","0.1.700.dev1","0.1.700.dev2","0.1.700.dev3","0.1.700.dev4","0.1.700.dev5","0.1.702","0.1.704","0.1.706","0.1.714","0.1.714.dev1","0.1.715","0.1.716","0.1.719","0.1.720","0.1.721","0.1.723","0.1.724","0.1.729","0.1.736","0.1.738","0.1.743","0.1.745","0.1.746","0.1.747","0.1.748","0.1.749","0.1.750","0.1.751","0.1.758","0.1.765","0.1.769","0.1.7701","0.1.7713","0.1.772","0.1.774","0.1.780","0.1.781","0.1.784","0.1.786","0.1.788","0.1.789","0.1.793","0.1.794","0.1.805","0.1.806","0.1.807","0.1.813","0.1.814","0.1.815","0.1.816","0.1.817","0.1.818","0.1.819","0.1.820","0.1.821","0.1.824","0.10.0","0.10.1","0.11.1","0.12.10","0.12.11","0.12.12","0.12.4","0.12.4.dev1","0.12.4.dev2","0.12.5","0.12.5.dev1","0.12.7","0.12.7.dev1","0.12.8","0.12.9","0.13.0","0.13.1","0.13.1.dev1","0.13.1.dev2","0.13.1.dev3","0.13.2","0.13.2.dev1","0.13.3.dev1","0.13.3.dev2","0.13.6.dev1","0.13.6.dev2","0.13.6.dev3","0.13.7.dev1","0.14.0","0.14.0.dev1","0.14.1","0.2.5","0.2.6","0.3.0","0.3.1","0.4.0","0.4.4","0.5.2","0.5.3","0.5.4","0.5.6","0.6.0","0.6.1","0.6.2","0.6.6","0.7.1","0.7.1.dev1","0.7.1.dev2","0.7.1.dev3","0.7.10","0.7.3","0.7.4","0.7.5","0.7.9","0.8.0","0.8.1","0.8.2","0.8.3","0.8.4","0.8.5","0.8.6","0.9.0","0.9.1","0.9.2","0.9.2.dev1","1.0.0","1.0.0.dev1","1.0.3","1.0.3.dev1","1.1.0","1.1.1","1.1.2","1.1.3","1.10.0","1.10.1","1.10.10","1.10.11","1.10.2","1.10.3","1.10.4","1.10.6","1.10.8","1.10.9","1.10.dev11","1.11.0","1.11.1","1.12.0","1.12.1","1.12.2","1.12.3","1.12.5","1.12.5.dev1","1.12.6.dev1","1.12.6.dev2","1.12.6.dev3","1.12.6.dev4","1.12.6.dev5","1.13.2","1.14.0","1.14.0.dev1","1.14.1","1.14.10","1.14.2","1.14.3","1.14.4","1.14.5","1.14.5.dev1","1.14.6","1.14.7","1.14.8","1.14.9","1.15.0","1.15.1","1.15.10","1.15.2","1.15.3","1.15.6","1.15.7","1.15.8","1.16.0","1.16.1","1.16.11","1.16.12","1.16.18","1.16.19","1.16.2","1.16.20","1.16.21","1.16.3","1.16.4","1.16.5","1.16.6","1.16.7","1.16.8","1.16.9","1.17.0","1.17.2","1.17.3","1.17.4","1.17.5","1.17.9","1.18.0","1.18.1","1.18.13","1.18.13.dev1","1.18.13.dev4","1.18.13.dev5","1.18.14.dev8","1.18.2","1.18.6","1.18.7","1.18.8","1.19.4","1.2.0","1.20.0","1.20.5","1.20.6","1.20.7","1.20.8","1.20.9","1.21.4.dev1","1.21.6","1.21.7","1.22.3","1.22.5","1.23.0","1.23.1","1.23.15","1.23.16","1.23.2","1.23.3","1.23.5","1.24.3","1.24.5","1.25.0","1.25.1","1.25.2","1.26.0","1.26.1","1.26.13","1.26.3","1.26.8","1.27.1.dev11","1.27.1.dev30","1.27.1.dev31","1.27.1.dev40","1.27.1.dev50","1.27.1.dev60","1.27.1.dev9","1.27.4","1.27.6","1.27.8","1.28.0","1.28.1","1.28.10","1.28.11","1.28.13","1.28.4","1.29.1","1.29.3","1.29.4.dev1","1.29.7.dev3","1.3.1","1.3.3","1.3.3.dev1","1.3.3.dev2","1.3.3.dev3","1.30.0","1.30.1","1.30.1.dev5","1.30.1.dev6","1.30.3","1.30.7","1.31.13.dev1","1.31.13.dev10","1.31.13.dev2","1.31.13.dev3","1.31.14","1.31.14.dev2","1.31.14.dev3","1.31.14.dev4","1.31.14.dev5","1.31.14.dev6","1.31.14.dev8","1.31.14.dev9","1.31.15.dev2","1.31.17","1.31.2","1.31.2.dev10","1.31.3","1.31.6","1.31.8","1.32.1","1.32.4","1.32.5.dev1","1.32.9","1.33.4","1.33.5.dev1","1.33.9","1.34.0","1.34.1","1.34.11","1.34.16","1.34.18","1.34.21","1.34.22","1.34.25","1.34.29","1.34.3","1.34.37","1.34.39","1.34.4","1.34.42","1.34.6","1.34.8","1.35.0","1.35.0.dev1","1.35.1","1.35.12","1.35.17","1.35.18","1.35.2","1.35.20","1.35.21","1.35.22","1.35.23","1.35.26","1.35.28","1.35.3","1.35.31","1.35.32","1.35.35","1.35.36","1.35.38","1.35.5","1.35.7","1.35.8","1.36.0","1.36.1","1.36.2","1.36.4","1.37.0","1.37.12","1.37.14","1.37.16","1.37.19","1.37.2","1.37.20","1.37.3","1.37.7","1.37.9","1.38.0","1.38.1","1.38.10","1.38.11","1.38.12","1.38.3","1.38.4","1.38.5","1.38.7","1.38.8","1.39.2","1.39.3","1.39.4","1.39.5","1.39.5.dev1","1.39.6","1.4.0","1.40.0","1.40.0.dev1","1.40.1","1.40.1.dev1","1.40.10","1.40.11","1.40.12","1.40.13","1.40.14","1.40.15","1.40.16","1.40.17","1.40.19","1.40.2","1.40.20","1.40.21","1.40.22","1.40.24","1.40.25","1.40.26","1.40.27","1.40.28","1.40.29","1.40.3","1.40.31","1.40.4","1.40.5","1.40.6","1.40.7","1.40.8","1.40.9","1.41.0","1.41.1","1.41.11","1.41.12","1.41.13","1.41.14","1.41.15","1.41.15.dev2","1.41.17","1.41.18","1.41.19","1.41.2","1.41.20","1.41.21","1.41.22","1.41.23","1.41.24","1.41.25","1.41.26","1.41.27","1.41.28","1.41.3","1.41.4","1.41.5","1.41.6","1.41.7","1.41.8","1.42.0","1.42.1","1.42.10","1.42.11","1.42.12","1.42.2","1.42.3","1.42.4","1.42.5","1.42.6","1.42.7","1.42.8","1.42.9","1.43.0","1.43.1","1.43.10","1.43.12","1.43.13","1.43.15","1.43.16","1.43.17","1.43.18","1.43.19","1.43.2","1.43.3","1.43.4","1.43.5","1.43.6","1.43.7","1.43.9","1.44.1","1.44.10","1.44.11","1.44.12","1.44.13","1.44.14","1.44.15","1.44.16","1.44.17","1.44.18","1.44.19","1.44.2","1.44.21","1.44.22","1.44.23","1.44.24","1.44.25","1.44.26","1.44.27","1.44.28","1.44.3","1.44.4","1.44.5","1.44.6","1.44.7","1.44.8","1.44.9","1.45.0","1.46.0","1.46.1","1.46.2","1.46.4","1.46.5","1.46.6","1.46.7","1.46.8","1.47.0","1.47.1","1.47.2","1.48.0","1.48.1","1.48.10","1.48.11","1.48.12","1.48.14","1.48.15","1.48.16","1.48.17","1.48.18","1.48.19","1.48.2","1.48.3","1.48.4","1.48.5","1.48.6","1.48.7","1.48.8","1.48.9","1.49.0","1.49.1","1.49.2","1.49.3","1.49.4","1.49.5","1.49.6","1.49.7","1.50.0","1.50.1","1.50.2","1.50.4","1.51.0","1.51.1","1.51.2","1.51.3","1.52.0","1.52.1","1.52.10","1.52.11","1.52.12","1.52.14","1.52.15","1.52.16","1.52.2","1.52.3","1.52.4","1.52.5","1.52.6","1.52.8","1.52.9","1.53.1","1.53.1.dev1","1.53.2","1.53.3","1.53.4","1.53.5","1.53.6","1.53.7","1.53.8","1.53.9","1.54.0","1.54.1","1.55.0","1.55.1","1.55.10","1.55.11","1.55.12","1.55.2","1.55.3","1.55.4","1.55.6","1.55.7","1.55.8","1.55.9","1.56.10","1.56.2","1.56.3","1.56.4","1.56.5","1.56.6","1.56.8","1.56.8.dev4","1.56.8.dev5","1.56.8.dev6","1.56.8.dev7","1.56.9","1.57.0","1.57.1","1.57.10","1.57.11","1.57.2","1.57.3","1.57.4","1.57.5","1.57.7","1.57.7.dev1","1.57.8","1.58.0","1.58.1","1.58.2","1.58.4","1.59.0","1.59.1","1.59.1.dev1","1.59.10","1.59.10.dev1","1.59.12","1.59.2","1.59.3","1.59.5","1.59.6","1.59.7","1.59.8","1.59.9","1.6.0","1.60.0","1.60.2","1.60.4","1.60.5","1.60.6","1.60.7","1.60.8","1.60.9","1.61.0","1.61.0.dev1","1.61.1","1.61.11","1.61.13","1.61.15","1.61.16","1.61.17","1.61.19","1.61.2","1.61.20","1.61.3","1.61.4","1.61.5","1.61.6","1.61.7","1.61.8","1.61.9","1.62.1","1.62.4","1.63.0","1.63.0.dev12","1.63.11","1.63.11.dev1","1.63.12","1.63.14","1.63.2","1.63.3","1.63.4.dev1","1.63.5","1.63.6","1.63.7","1.63.8","1.64.1","1.65.0","1.65.0.post1","1.65.1","1.65.3","1.65.4","1.65.4.post1","1.65.5","1.65.6","1.65.7","1.65.8","1.66.0","1.66.1","1.66.2","1.66.3","1.67.0","1.67.0.post1","1.67.1","1.67.2","1.67.4","1.67.4.dev1","1.67.4.post1","1.67.5","1.67.6","1.68.0","1.68.1","1.68.1.dev1","1.68.2","1.69.0","1.69.1","1.69.2","1.69.3","1.7.1","1.7.11","1.7.12","1.7.2","1.7.3","1.7.4","1.7.5","1.7.6","1.7.7","1.7.8","1.7.9","1.70.0","1.70.2","1.70.4","1.71.0","1.71.1","1.71.2","1.71.3","1.72.0","1.72.1","1.72.2","1.72.2.post1","1.72.3","1.72.4","1.72.5.dev1","1.72.5.dev2","1.72.5.dev3","1.72.6","1.72.6.post1","1.72.6.post2","1.72.7","1.72.7.dev1","1.72.7.dev7","1.72.9","1.73.0","1.73.0.post1","1.73.0rc1","1.73.1","1.73.2","1.73.6","1.73.6.post1","1.73.6rc2","1.73.7","1.73.7.dev1","1.73.7.dev2","1.73.7.dev3","1.73.7.dev4","1.74.0","1.74.0.post1","1.74.0.post2","1.74.1","1.74.12","1.74.14","1.74.15","1.74.15.post1","1.74.15.post2","1.74.2","1.74.3","1.74.3.post1","1.74.3rc1","1.74.3rc2","1.74.3rc3","1.74.4","1.74.4.dev1","1.74.6","1.74.7","1.74.7.post1","1.74.7.post2","1.74.7rc1","1.74.8","1.74.8.dev2","1.74.9","1.74.9.dev1","1.74.9.dev2","1.74.9.post1","1.74.9.post2","1.75.0","1.75.2","1.75.3","1.75.4","1.75.5.post1","1.75.5.post2","1.75.6","1.75.7","1.75.8","1.75.9","1.76.0","1.76.1","1.76.2","1.76.3","1.77.0","1.77.1","1.77.2.post1","1.77.3","1.77.4","1.77.4.dev1","1.77.5","1.77.7","1.78.0","1.78.0rc2","1.78.2","1.78.3","1.78.4","1.78.5","1.78.6","1.78.7","1.79.0","1.79.0.dev1","1.79.0.dev2","1.79.0.dev3","1.79.1","1.79.2","1.79.3","1.79.3.dev8","1.8.1","1.80.0","1.80.10","1.80.11","1.80.12","1.80.13","1.80.15","1.80.16","1.80.17","1.80.5","1.80.6","1.80.7","1.80.8","1.80.9","1.81.0","1.81.1","1.81.10","1.81.11","1.81.12","1.81.13","1.81.14","1.81.15","1.81.16","1.81.3","1.81.4","1.81.5","1.81.6","1.81.7","1.81.8","1.81.9","1.81.9.dev1","1.82.0","1.82.1","1.82.2","1.82.3","1.82.4","1.82.5","1.82.6","1.83.0","1.83.1","1.83.10","1.83.11","1.83.12","1.83.13","1.83.14","1.83.2","1.83.3","1.83.4","1.83.5","1.83.6","1.83.7","1.83.8","1.83.9","1.84.0.dev1","1.84.0.dev2","1.84.0rc1","1.9.0","1.9.1","1.9.2","1.9.3","1.9.4","1.9.5","1.9.dev0"],"database_specific":{"source":"https://github.com/pypa/advisory-database/blob/main/vulns/litellm/PYSEC-2026-388.yaml"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"}]}