CVE-2026-42203: LiteLLM: Server-Side Template Injection in /prompts/test endpoint

April 24, 2026 (updated May 4, 2026)

The POST /prompts/test endpoint accepted user-supplied prompt templates and rendered them without sandboxing. A crafted template could run arbitrary code inside the LiteLLM Proxy process.

The endpoint only checks that the caller presents a valid proxy API key, so any authenticated user could reach it. Depending on how the proxy is deployed, this could expose secrets in the process environment (such as provider API keys or database credentials) and allow commands to be run on the host.

Proxy deployments running an affected version are in scope.

References

github.com/BerriAI/litellm
github.com/BerriAI/litellm/releases/tag/v1.83.7-stable
github.com/BerriAI/litellm/security/advisories/GHSA-xqmj-j6mv-4862
github.com/advisories/GHSA-xqmj-j6mv-4862
nvd.nist.gov/vuln/detail/CVE-2026-42203

Code Behaviors & Features

Detect and mitigate CVE-2026-42203 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →