CVE-2026-42203

HIGH LAB

LiteLLM: Server-Side Template Injection in /prompts/test endpoint

Title source: cna

Exploitation Summary

EIP tracks 1 public exploit for CVE-2026-42203. PoCs published by Astianjy.

AI-analyzed exploit summary This repository contains a functional exploit PoC for CVE-2026-42203, demonstrating a Server-Side Template Injection (SSTI) vulnerability in LiteLLM's /prompts/test endpoint. The exploit uses a Jinja2 template injection to execute arbitrary Python code, confirmed via a CEYE callback mechanism.

Description

LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. From version 1.80.5 to before version 1.83.7, the POST /prompts/test endpoint accepted user-supplied prompt templates and rendered them without sandboxing. A crafted template could run arbitrary code inside the LiteLLM Proxy process. The endpoint only checks that the caller presents a valid proxy API key, so any authenticated user could reach it. Depending on how the proxy is deployed, this could expose secrets in the process environment (such as provider API keys or database credentials) and allow commands to be run on the host. This issue has been patched in version 1.83.7.

Exploits (1)

nomisec WORKING POC

by Astianjy · poc

https://github.com/Astianjy/CVE-2026-42203

View Code ZIP pw:eip

This repository contains a functional exploit PoC for CVE-2026-42203, demonstrating a Server-Side Template Injection (SSTI) vulnerability in LiteLLM's /prompts/test endpoint. The exploit uses a Jinja2 template injection to execute arbitrary Python code, confirmed via a CEYE callback mechanism.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: LiteLLM (version not specified)

Auth required

Prerequisites: Valid LiteLLM API key · Access to CEYE API for callback verification · Network access to the target LiteLLM instance

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed May 16, 2026 Full analysis →

References (2)

Core 2

Core References

X_Refsource_Confirm x_refsource_confirm

https://github.com/BerriAI/litellm/security/advisories/GHSA-xqmj-j6mv-4862

X_Refsource_Misc x_refsource_misc

https://github.com/BerriAI/litellm/releases/tag/v1.83.7-stable

Scores

CVSS v3 8.8

EPSS 0.0006

EPSS Percentile 18.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Lab Environment

COMMUNITY

Community Lab

docker pull litellm/litellm:main-v1.83.3-stable

https://github.com/Astianjy/CVE-2026-42203

View in Library

Details

CWE

CWE-1336

Status published

Products (3)

BerriAI/litellm >= 1.80.5, < 1.83.7

litellm/litellm 1.80.5 - 1.83.7

pypi/litellm 1.80.5 - 1.83.7PyPI

Published May 08, 2026

Tracked Since May 08, 2026