Critical LiteLLM Authentication Bypass via Host Header Injection (CVE-2026-49468)
A critical vulnerability in LiteLLM proxy allows attackers to bypass authentication by manipulating the Host header, gaining unauthorized access to management endpoints.
A critical security vulnerability has been disclosed in LiteLLM, an increasingly popular proxy used for managing large language model (LLM) APIs. The flaw, tracked as CVE-2026-49468, allows attackers to bypass authentication mechanisms under specific conditions by exploiting improper handling of the Host header. The issue affects LiteLLM versions before 1.84.0 and has been assigned a critical severity rating.
The vulnerability stems from a flaw in how the LiteLLM proxy determines request routes during authentication checks. The authentication mechanism relies on the request.url.path value generated by the Starlette framework, which reconstructs the path using the Host header supplied in incoming HTTP requests. By manipulating this header, an attacker can cause the authentication layer to evaluate a different route than the one FastAPI actually processes. This discrepancy creates an opportunity for attackers to bypass access controls and gain unauthorized access to sensitive management endpoints.
The vulnerability is classified as CWE-290 (Authentication Bypass by Spoofing) and carries a high CVSS v4 score, reflecting significant potential impact on confidentiality, integrity, and availability. Notably, it requires neither authentication nor user interaction, making it particularly dangerous in exposed environments. The attack vector is network-based and low-complexity, further increasing its risk profile.
According to GitHub advisory GHSA-4xpc-pv4p-pm3w, most deployments are not affected because the vulnerability is effectively mitigated when upstream infrastructure validates or normalizes the Host header. This includes deployments behind content delivery networks (CDNs), web application firewalls (WAFs), reverse proxies with strict server_name validation, or cloud load balancers configured with host-based routing rules. Additionally, LiteLLM Cloud customers are not impacted by this issue, as the hosted environment includes protective controls that prevent Host header manipulation.
The vulnerability has been patched in LiteLLM version 1.84.0, and users are strongly advised to upgrade immediately. The fix does not require any configuration changes, simplifying remediation efforts. For organizations unable to upgrade immediately, temporary mitigations include placing the LiteLLM proxy behind a trusted upstream component that enforces strict Host header validation. Alternatively, restricting network access to the proxy service can reduce exposure.
The vulnerability was discovered by security researchers Le The Thang from KCSC and Kim Ngoc Chung from One Mount Group. Their findings highlight the risks of improper request parsing in modern API frameworks, especially when relying on headers that clients can manipulate. This disclosure underscores the importance of validating input headers and ensuring consistency between routing and authentication layers in web applications, particularly those handling sensitive AI workloads.