BerriAI litellm Completions banned_keywords.py async_pre_call_hook authorization
Description
A security flaw has been discovered in BerriAI litellm up to 1.82.5. Affected is the function async_pre_call_hook of the file enterprise/enterprise_hooks/banned_keywords.py of the component Completions Interface. The manipulation of the argument prompt results in incorrect authorization. The attack may be performed from remote. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
1Patches
Vulnerability mechanics
Root cause
"The `async_pre_call_hook` in both `banned_keywords.py` and `azure_content_safety.py` checks for `call_type == "completion"`, but the proxy always passes `"acompletion"` for HTTP requests, causing the security check to be skipped entirely."
Attack vector
An attacker sends a POST request to `/v1/chat/completions` containing a banned keyword or harmful content. Because the proxy sets `route_type` to `"acompletion"` for all HTTP-originated chat requests, the security hooks compare `"acompletion"` against `"completion"`, which never matches, so the keyword/content check is entirely skipped. The request passes through to the LLM backend unfiltered. No special privileges beyond a valid API key are needed. [CWE-863]
Affected code
The flaw is in `enterprise/enterprise_hooks/banned_keywords.py` line 76 and `litellm/proxy/hooks/azure_content_safety.py` line 121, where `async_pre_call_hook` checks `call_type == "completion"` but the proxy always passes `call_type = "acompletion"` for HTTP requests routed through `/v1/chat/completions` (see `common_request_processing.py` lines 554 and 745).
What the fix does
The patch must change the condition in both hooks to also accept `"acompletion"`, matching the pattern already applied in `presidio.py` (line 831: `call_type == "completion" or call_type == "acompletion"`) and `guardrails_ai.py` (line 220). Without this change, the `if` block that invokes `test_violation()` or `test_violation()` is never entered for HTTP requests, rendering the guardrails ineffective. The advisory notes that no patched version has been released yet.
Preconditions
- configThe LiteLLM proxy must be configured with the `banned_keywords` callback or `AzureContentSafety` hook enabled.
- authThe attacker must have a valid API key (e.g., `sk-1234`) to send requests to the proxy.
- networkThe request must be sent to the HTTP endpoint `/v1/chat/completions`, which triggers async routing.
- inputThe request payload must contain a banned keyword or harmful content in the `messages` field.
Reproduction
1. Configure the LiteLLM proxy with `banned_keywords` in `litellm_settings` and set `banned_keywords_list: ["bannedword"]`. 2. Start the proxy. 3. Send a curl request: `curl -s http://localhost:4000/v1/chat/completions -H "Content-Type: application/json" -H "Authorization: Bearer sk-1234" -d '{"model":"gpt-3.5-turbo","messages":[{"role":"user","content":"bannedword test"}]}'` 4. Observe that the request passes through to the LLM backend instead of returning an HTTP 400 error.
Generated on Jun 22, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- gist.github.com/YLChen-007/078179224f07cc4e39e4f141a18c817amitreexploit
- vuldb.com/cve/CVE-2026-12797mitrethird-party-advisory
- vuldb.com/submit/811288mitrethird-party-advisory
- vuldb.com/vuln/372559mitrevdb-entrytechnical-description
- vuldb.com/vuln/372559/ctimitresignaturepermissions-required
News mentions
0No linked articles in our index yet.