{
  "threat_severity" : "Important",
  "public_date" : "2026-05-08T03:36:58Z",
  "bugzilla" : {
    "description" : "litellm: LiteLLM: Arbitrary code execution via unsandboxed prompt templates",
    "id" : "2467917",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2467917"
  },
  "cvss3" : {
    "cvss3_base_score" : "8.8",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
    "status" : "draft"
  },
  "cwe" : "CWE-94",
  "details" : [ "LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. From version 1.80.5 to before version 1.83.7, the POST /prompts/test endpoint accepted user-supplied prompt templates and rendered them without sandboxing. A crafted template could run arbitrary code inside the LiteLLM Proxy process. The endpoint only checks that the caller presents a valid proxy API key, so any authenticated user could reach it. Depending on how the proxy is deployed, this could expose secrets in the process environment (such as provider API keys or database credentials) and allow commands to be run on the host. This issue has been patched in version 1.83.7.", "A flaw was found in LiteLLM, an AI Gateway. An authenticated user could exploit this by sending a crafted prompt template to the POST /prompts/test endpoint. The endpoint rendered user-supplied prompt templates without proper sandboxing. This could lead to arbitrary code execution within the LiteLLM Proxy process, potentially exposing sensitive information such as API keys or database credentials, and allowing commands to be run on the host system." ],
  "statement" : "Important: This flaw in LiteLLM, an AI Gateway, allows an authenticated user to achieve arbitrary code execution by sending a crafted prompt template to the /prompts/test endpoint. This is considered Important due to the potential for exposure of sensitive information, such as API keys or database credentials, and the ability to run commands on the host system, impacting the integrity and confidentiality of the deployed environment.",
  "package_state" : [ {
    "product_name" : "Exploit Intelligence",
    "fix_state" : "Not affected",
    "package_name" : "exploit-intelligence-tech-preview/vulnerability-analysis-rhel9",
    "cpe" : "cpe:/a:redhat:exploit_intelligence:0"
  }, {
    "product_name" : "Red Hat Ansible Automation Platform 2",
    "fix_state" : "Affected",
    "package_name" : "ansible-automation-platform-26/lightspeed-chatbot-rhel9",
    "cpe" : "cpe:/a:redhat:ansible_automation_platform:2"
  }, {
    "product_name" : "Red Hat OpenShift AI (RHOAI)",
    "fix_state" : "Not affected",
    "package_name" : "rhoai/odh-llama-stack-core-rhel9",
    "cpe" : "cpe:/a:redhat:openshift_ai"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-42203\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-42203\nhttps://github.com/BerriAI/litellm/releases/tag/v1.83.7-stable\nhttps://github.com/BerriAI/litellm/security/advisories/GHSA-xqmj-j6mv-4862" ],
  "name" : "CVE-2026-42203",
  "mitigation" : {
    "value" : "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.",
    "lang" : "en:us"
  },
  "csaw" : false
}