CVE-2026-59819 in litellminfo

Summary

by MITRE • 07/08/2026

LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. Prior to 1.83.10-stable, LiteLLM's /health/test_connection endpoint resolved request-supplied environment and OIDC file references in litellm_params, allowing a proxy administrator or another privileged caller with permission to test model connections to read files from the local filesystem via an oidc/file/ reference. This issue is fixed in version 1.83.10-stable.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Analysis

by VulDB Data Team • 07/08/2026

The vulnerability identified in LiteLLM versions prior to 1.83.10-stable represents a critical file system access flaw within the proxy server's health testing functionality. This issue specifically affects the /health/test_connection endpoint which is designed to validate model connection configurations but inadvertently exposes a path traversal mechanism through its handling of environment variables and OIDC file references within litellm_params. The flaw allows unauthorized privilege escalation by enabling attackers to craft malicious requests that reference local file system paths through the oidc/file/ prefix, effectively bypassing normal access controls that should prevent arbitrary file reading.

The technical implementation of this vulnerability stems from insufficient input validation and sanitization within the endpoint's parameter processing logic. When LiteLLM processes requests containing oidc/file/ references in the litellm_params structure, it fails to properly validate or restrict the file paths being accessed, allowing attackers to specify arbitrary local file locations that can be read by the proxy server process. This represents a classic path traversal vulnerability where user-supplied input directly influences file system access operations without proper authorization checks.

The operational impact of this vulnerability is significant for organizations relying on LiteLLM as an AI gateway solution, particularly in environments where the proxy server runs with elevated privileges or has access to sensitive configuration files, database credentials, or system information. An attacker with permission to test model connections could potentially read critical system files including password hashes, SSL certificates, API keys, and other sensitive data stored on the local filesystem. This vulnerability essentially transforms a legitimate administrative function into a potential data exfiltration vector.

Security implications extend beyond simple file reading capabilities as this flaw can be leveraged to escalate privileges within the system and potentially gain deeper access to underlying infrastructure. The vulnerability aligns with CWE-22 Path Traversal and CWE-73 Path Traversal in File Names or Directories, representing a fundamental failure in input validation that allows attackers to bypass normal file system access controls. From an ATT&CK perspective, this vulnerability maps to techniques involving privilege escalation through local service manipulation and credential access via file system reconnaissance. The fix implemented in version 1.83.10-stable addresses this by introducing proper path validation and sanitization mechanisms that prevent arbitrary file reference resolution while maintaining legitimate functionality for authorized file access operations.

Organizations utilizing LiteLLM should immediately implement the patched version to mitigate this vulnerability, as the risk of exploitation increases with the presence of privileged users who can initiate connection tests. Additional mitigations include restricting access to the /health/test_connection endpoint, implementing network segmentation, and monitoring for unusual file system access patterns that may indicate exploitation attempts. The vulnerability highlights the importance of validating all user-supplied inputs in proxy and gateway systems where administrative functions can potentially expose underlying system resources.

Responsible

GitHub M

Reservation

07/07/2026

Disclosure

07/08/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Do you need the next level of professionalism?

Upgrade your account now!