A critical security vulnerability has been identified in LiteLLM, a widely used proxy for managing large language model (LLM) APIs. This flaw, designated as CVE-2026-49468, enables attackers to bypass authentication mechanisms by exploiting improper handling of the Host header in HTTP requests.
The vulnerability affects LiteLLM versions prior to 1.84.0 and has been assigned a critical severity rating. The root cause lies in how LiteLLM’s authentication mechanism processes the `request.url.path` value, which is reconstructed using the Host header from incoming HTTP requests. By manipulating this header, an attacker can cause the authentication layer to evaluate a different route than the one actually processed by FastAPI, thereby circumventing access controls and gaining unauthorized access to sensitive management endpoints.
Understanding the Vulnerability
Classified under CWE-290 (Authentication Bypass by Spoofing), this vulnerability poses significant risks to confidentiality, integrity, and availability. It requires neither authentication nor user interaction, making it particularly dangerous in exposed environments. The attack vector is network-based and of low complexity, further increasing its risk profile.
However, most deployments are not affected due to upstream infrastructure that validates or normalizes the Host header. Deployments behind content delivery networks (CDNs), web application firewalls (WAFs), reverse proxies with strict server_name validation, or cloud load balancers configured with host-based routing rules effectively mitigate this vulnerability. Additionally, LiteLLM Cloud customers are not impacted, as the hosted environment includes protective controls that prevent Host header manipulation.
Mitigation and Recommendations
The vulnerability has been patched in LiteLLM version 1.84.0, and users are strongly advised to upgrade immediately. The fix does not require any configuration changes, simplifying remediation efforts. For organizations unable to upgrade immediately, temporary mitigations include placing the LiteLLM proxy behind a trusted upstream component that enforces strict Host header validation or restricting network access to the proxy service to reduce exposure.
This vulnerability was discovered by security researchers Le The Thang from KCSC and Kim Ngoc Chung from One Mount Group. Their findings highlight the risks of improper request parsing in modern API frameworks, especially when relying on headers that clients can manipulate.
This disclosure underscores the importance of validating input headers and ensuring consistency between routing and authentication layers in web applications, particularly those handling sensitive AI workloads. Organizations should review their deployment configurations and implement necessary safeguards to protect against similar vulnerabilities.
