CVE-2026-35030: CWE-287: Improper Authentication in BerriAI litellm
LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. Prior to 1.83.0, when JWT authentication is enabled (enable_jwt_auth: true), the OIDC userinfo cache uses token[:20] as the cache key. JWT headers produced by the same signing algorithm generate identical first 20 characters. This configuration option is not enabled by default. Most instances are not affected. An unauthenticated attacker can craft a token whose first 20 characters match a legitimate user's cached token. On cache hit, the attacker inherits the legitimate user's identity and permissions. This affects deployments with JWT/OIDC authentication enabled. Fixed in v1.83.0.
AI Analysis
Technical Summary
LiteLLM, a proxy server for LLM APIs, prior to version 1.83.0, contains an improper authentication vulnerability (CWE-287) when JWT authentication is enabled. The OIDC userinfo cache uses the first 20 characters of the JWT token as a cache key, but tokens signed with the same algorithm share identical prefixes, allowing an attacker to craft a token that collides with a legitimate user's cache entry. This enables the attacker to impersonate that user and gain their permissions. The vulnerability is fixed in version 1.83.0. This affects only deployments with enable_jwt_auth set to true, which is not the default setting.
Potential Impact
An unauthenticated attacker can impersonate legitimate users by exploiting the token cache key collision, gaining unauthorized access and permissions within the litellm proxy server. This can lead to privilege escalation and unauthorized actions in affected deployments. The severity is critical with a CVSS 4.0 score of 9.4, reflecting network attack vector, low complexity, no privileges required, no user interaction, and high impact on confidentiality, integrity, and availability.
Mitigation Recommendations
Upgrade litellm to version 1.83.0 or later, where this vulnerability is fixed. If upgrading immediately is not possible, disable JWT/OIDC authentication (enable_jwt_auth: false) as this vulnerability only affects deployments with JWT authentication enabled. Patch status is not explicitly stated but the fix is included in version 1.83.0, so applying this update is the recommended remediation.
CVE-2026-35030: CWE-287: Improper Authentication in BerriAI litellm
Description
LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. Prior to 1.83.0, when JWT authentication is enabled (enable_jwt_auth: true), the OIDC userinfo cache uses token[:20] as the cache key. JWT headers produced by the same signing algorithm generate identical first 20 characters. This configuration option is not enabled by default. Most instances are not affected. An unauthenticated attacker can craft a token whose first 20 characters match a legitimate user's cached token. On cache hit, the attacker inherits the legitimate user's identity and permissions. This affects deployments with JWT/OIDC authentication enabled. Fixed in v1.83.0.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
LiteLLM, a proxy server for LLM APIs, prior to version 1.83.0, contains an improper authentication vulnerability (CWE-287) when JWT authentication is enabled. The OIDC userinfo cache uses the first 20 characters of the JWT token as a cache key, but tokens signed with the same algorithm share identical prefixes, allowing an attacker to craft a token that collides with a legitimate user's cache entry. This enables the attacker to impersonate that user and gain their permissions. The vulnerability is fixed in version 1.83.0. This affects only deployments with enable_jwt_auth set to true, which is not the default setting.
Potential Impact
An unauthenticated attacker can impersonate legitimate users by exploiting the token cache key collision, gaining unauthorized access and permissions within the litellm proxy server. This can lead to privilege escalation and unauthorized actions in affected deployments. The severity is critical with a CVSS 4.0 score of 9.4, reflecting network attack vector, low complexity, no privileges required, no user interaction, and high impact on confidentiality, integrity, and availability.
Mitigation Recommendations
Upgrade litellm to version 1.83.0 or later, where this vulnerability is fixed. If upgrading immediately is not possible, disable JWT/OIDC authentication (enable_jwt_auth: false) as this vulnerability only affects deployments with JWT authentication enabled. Patch status is not explicitly stated but the fix is included in version 1.83.0, so applying this update is the recommended remediation.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-03-31T21:06:06.427Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69d3ea320a160ebd92c9fd81
Added to database: 4/6/2026, 5:15:30 PM
Last enriched: 4/6/2026, 5:31:14 PM
Last updated: 4/7/2026, 7:04:40 AM
Views: 8
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.