LiteLLM RCE via Unsandboxed Prompt Templates 1.80.5<1.83.7
CVE-2026-42203 Published on May 8, 2026
LiteLLM: Server-Side Template Injection in /prompts/test endpoint
LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. From version 1.80.5 to before version 1.83.7, the POST /prompts/test endpoint accepted user-supplied prompt templates and rendered them without sandboxing. A crafted template could run arbitrary code inside the LiteLLM Proxy process. The endpoint only checks that the caller presents a valid proxy API key, so any authenticated user could reach it. Depending on how the proxy is deployed, this could expose secrets in the process environment (such as provider API keys or database credentials) and allow commands to be run on the host. This issue has been patched in version 1.83.7.
Vulnerability Analysis
CVE-2026-42203 can be exploited with network access, and requires small amount of user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to be very high.
Weakness Types
What is a Code Injection Vulnerability?
The software constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
CVE-2026-42203 has been classified to as a Code Injection vulnerability or weakness.
Products Associated with CVE-2026-42203
Want to know whenever a new CVE is published for Red Hat products? stack.watch will email you.
Affected Versions
BerriAI litellm:- Version >= 1.80.5, < 1.83.7 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.