{"id":"CVE-2026-35030","summary":"LiteLLM has an authentication bypass via OIDC userinfo cache key collision","details":"LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. Prior to 1.83.0, when JWT authentication is enabled (enable_jwt_auth: true), the OIDC userinfo cache uses token[:20] as the cache key. JWT headers produced by the same signing algorithm generate identical first 20 characters. This configuration option is not enabled by default. Most instances are not affected. An unauthenticated attacker can craft a token whose first 20 characters match a legitimate user's cached token. On cache hit, the attacker inherits the legitimate user's identity and permissions. This affects deployments with JWT/OIDC authentication enabled. Fixed in v1.83.0.","aliases":["GHSA-jjhc-v7c2-5hh6"],"modified":"2026-05-28T03:54:54.818273661Z","published":"2026-04-06T16:47:02.065Z","related":["CGA-3jhq-x26v-672q"],"database_specific":{"cna_assigner":"GitHub_M","cwe_ids":["CWE-287"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/35xxx/CVE-2026-35030.json"},"references":[{"type":"ADVISORY","url":"https://github.com/BerriAI/litellm/security/advisories/GHSA-jjhc-v7c2-5hh6"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/35xxx/CVE-2026-35030.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-35030"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/berriai/litellm","events":[{"introduced":"0"},{"fixed":"f0518c1d984947a219335a857e2f8835ae5eb76f"}]}],"versions":["v1.81.9.rc.1","v1.81.9-stable","v1.81.9-nightly","v1.82.5.dev.1","v1.82.6.dev2","v1.82.1.rc.1","v1.82.1-nightly","v1.82.4-nightly","v1.82.1-silent-dev2","v1.81.16.custm-auth.dev","v1.81.14.rc.1","v1.81.14-nightly","litellmv1.81.15.presidio.dev","litellm-pres-dev-v1.81.15","v1.81.13.dev1","litellm_pro-mgmnt-dev-v1.81.13","litellm_1.81.13-dev","v1.80.11.rc.1","v1.80.11-stable","v1.80.11-nightly","litellm_sso-dev-v1.81.13","v1.81.12-nightly","v1.80.17-nightly","v1.81.3.rc.5","v1.81.7.dev1","v1.81.0.rc.1","v1.81.0-nightly","v1.81.3.rc","v1.81.3.rc.1","v1.81.3-nightly","v1.81.1-nightly","v1.80.16.dev6","v1.80.13-nightly","v1.80.16-nightly","v1.80.15.rc.1","v1.80.15-nightly","v1.80.12-nightly","v1.80.10.dev.1","v1.80.10.rc.1","v1.80.10-nightly","v1.80.8.rc.1","v1.80.8-nightly","v1.80.9.dev1","v1.80.9-nightly","v1.80.8.dev.1","v1.80.7.dev.3","v1.80.6-nightly","v1.80.5.dev2","v1.80.5-nightly","v1.78.5.rc.1","v1.78.5-stable","v1.78.5-nightly","v1.80.0.dev6","v1.80.0.dev2","v1.80.0.dev1","v1.80.0-nightly","v1.79.3.dev7","v1.79.3.dev5","v1.79.dev.1","v1.79.3.rc.1","v1.79.3-nightly","v1.79.2-nightly","v1.79.1.rc.1","v1.79.1-nightly","v1.79.0.rc.1","v1.79.0-nightly","v1.78.7-nightly","v1.78.6-nightly","v1.78.4.dev1","v1.78.4-nightly","v1.78.3-nightly","v1.78.2-nightly","v1.78.0-nightly","v1.77.7.rc.1","v1.77.7-nightly","v1.77.7.dev9","v1.77.7.dev.3","v1.77.7.rc.2","v1.77.1.rc.1-v2","v1.77.5.rc.1","v1.77.5-nightly","v1.77.6.dev.1","v1.77.4-nightly","v1.77.3-nightly","v1.77.3.dynamic_rates","v1.77.2.rc.1","v1.77.1-nightly","v1.77.1.dev.2","v1.77.1.dev.1","v1.77.0-nightly","v1.76.3.dev1","v1.76.1.rc.1","v1.76.3.rc.1","v1.76.3-nightly","v1.76.2-nightly","v1.76.1-nightly","v1.76.0-nightly","v1.76.0-stable-draft","v1.75.9-nightly","v1.75.8-stable","v1.75.8-nightly","v1.75.7-nightly","v1.75.6-nightly","v1.73.0.rc.1","v1.75.5.rc.1","v1.75.5-stable.rc-draft","v1.75.4-nightly","v1.75.2-nightly","v1.75.3-nightly","v1.75.0-nightly","v1.74.15-nightly","1.74.15.rc.1","v1.74.9.rc.1","v1.74.9-stable","v1.74.14-nightly","v1.74.12-nightly","v1.74.9.rc-draft","v1.74.7.rc.1","v1.74.8-nightly","v1.74.7-nightly","v1.74.6-nightly","v1.74.5.dev1","v1.74.4-nightly","v1.74.3.rc.1","v1.74.3-stable-draft","v1.74.3-nightly","v1.74.2-nightly","v1.74.1-nightly","v1.65.4-nightly","v1.74.0-nightly","v1.73.7-nightly","v1.73.6.rc-draft","v1.73.6.rc.1","v1.73.6-nightly","v1.73.2-nightly","v1.73.1-nightly","v1.73.0-nightly","v1.72.9-nightly","v1.72.7-nightly","v1.72.6.rc","v1.72.6.dev1","v1.72.6-nightly","1.72.6.rc-draft","v1.72.2.devMCP","v1.72.5.dev1","v1.72.4-nightly","v1.72.2.rc","v1.72.3-nightly","v1.72.2-nightly","v1.72.1.dev8","v1.72.1-nightly","v1.72.1.dev1","v1.72.0.dev3","v1.72.0.rc","v1.72.0.dev1","v1.72.0-nightly","v1.71.3-rc","v1.71.3-nightly","v1.71.1-stable","v1.71.1-nightly","v1.71.2.dev3","v1.71.2-nightly","v1.71.2.dev1","v1.71.0-nightly","v1.70.2-nightly","v1.70.4-nightly","v1.70.2.dev5","v1.69.0-stable","v1.70.1.dev2","v1.67.0-stable.patch2","v1.68.0-stable","v1.70.1-stable","v1.70.0-nightly","v1.69.3-nightly","v1.69.2-nightly","v1.69.0.dev1","v1.69.1-nightly","v1.69.0-nightly","v1.68.2-nightly","v1.68.1.dev4","v1.68.1-nightly","v1.68.1.dev2","v1.68.1.dev1","v1.68.0-nightly","v1.67.6.dev1","v1.67.7-stable","v1.67.6-nightly","v1.67.5-nightly","v1.67.3.dev6","v1.67.3.dev4","v1.67.4-nightly","v1.67.3.dev1","v1.67.2-nightly","v1.67.1-nightly","v1.67.0-nightly","v1.67.0-stable","v1.66.3.dev5","v1.66.3-nightly","v1.66.2.dev1","v1.66.2-nightly","v1.66.1-nightly","v1.66.0-nightly","v1.65.8-nightly","v1.65.7-nightly","v1.65.6-nightly","v1.65.5-nightly","v1.65.3-nightly","v1.65.2.dev1","v1.65.1-nightly","v1.65.0.rc","v1.65.0-nightly","v1.64.1-nightly","1.64.0.dev1","v1.63.14.rc","v1.63.14-nightly","v1.63.12-nightly","v1.63.11-stable","v1.63.11-nightly","v1.63.8-nightly","v1.63.7-nightly","v1.63.6.dev1","v1.63.6-nightly","v1.63.5-nightly","v1.63.2-nightly","v1.63.3-nightly","v1.63.0-nightly","v1.62.4-nightly","v1.62.1-nightly","v1.61.20.rc","v1.61.20-nightly","v1.61.19-nightly","v1.61.17-nightly","v1.61.16-nightly","v1.61.15-nightly","v1.61.13.rc","v1.61.13-nightly","v1.61.11-nightly","v1.61.9-nightly","v1.61.7.dev1","v1.61.8-nightly","v1.61.7-nightly","v1.61.7","v1.61.6-nightly","v1.61.5-nightly","v1.61.3-nightly","v1.61.3","v1.61.4-nightly","v1.61.3.dev1","v1.61.2-nightly","v1.61.1","v1.61.0","v1.60.4","v1.60.2-dev1","v1.60.8","v1.60.6","v1.60.5","v1.60.2","v1.60.0.dev4","v1.60.0.dev2","v1.60.0","v1.59.10","v1.59.8","v1.59.9","v1.59.7","v1.59.6","v1.59.5","v1.59.3","v1.59.2","v1.59.1","v1.59.0","v1.58.4","v1.58.2","v1.58.1","v1.58.0","v1.57.11","v1.57.8","v1.57.10","v1.57.7","v1.57.5","v1.57.4","v1.57.3","v1.57.2","v1.57.1","v1.57.0","v1.56.10","v1.56.9","v1.56.8","v1.56.6","v1.56.5","v1.56.4","v1.56.3","v1.56.2","v1.55.12","v1.55.11","v1.55.10","v1.55.8","v1.55.9-test2","v1.55.9-test","v1.55.9","v1.55.4-test-release-2","v1.55.4-test-release","v1.55.4","v1.55.3","v1.55.1","v1.55.2","v1.55.0","v1.54.1","v1.54.0","v1.53.9","v1.53.8","v1.53.7.dev4","v1.53.7-stable","v1.53.7","v1.53.6","v1.53.5","v1.53.4","v1.53.3","v1.53.2","v1.53.1","v1.52.15","v1.52.16.dev1","v1.52.16","v1.52.14","v1.52.10","v1.52.12","v1.52.11","v1.52.9","v1.52.8","v1.52.5","v1.52.6","v1.52.4","v1.52.3","v1.52.2","v1.52.1","v1.51.3.dev10","v1.52.0-stable","v1.52.0","v1.51.3","v1.51.1-stable","v1.51.1","v1.51.2","v1.51.0-stable","v1.51.0","v1.50.4-stable","v1.50.4","v1.50.2-stable","v1.50.2","v1.50.1-stable","v1.50.1","v1.50.0-stable","v1.50.0","v1.49.7-stable","v1.49.7","v1.49.6-stable","v1.49.6","v1.49.5","v1.49.4","v1.49.3-stable","v1.49.3","v1.49.2-stable","v1.49.2","v1.49.1","v1.49.0-stable","v1.49.0","v1.48.19-stable","v1.48.19","v1.48.18","v1.48.17-stable","v1.48.17","v1.48.16-stable","v1.48.16","v1.48.15","v1.48.14-stable","v1.48.14","v1.48.12","v1.48.11-stable","v1.48.11","v1.48.10","v1.48.9-stable","v1.48.9","v1.48.8-stable","v1.48.8","v1.48.7-stable","v1.48.7","v1.48.6","v1.48.5.dev1","v1.48.5-stable","v1.48.5","v1.48.4-stable","v1.48.4","v1.48.3","v1.48.2.dev8","v1.48.2","v1.48.1","v1.48.0","v1.47.2.dev4","v1.47.2","v1.47.1","v1.47.0","v1.46.8","v1.46.7","v1.46.6","v1.46.5","v1.46.4","v1.46.2","v1.46.1","v1.46.0","v1.45.0","v1.44.28","v1.44.27","v1.44.26","v1.44.25","v1.44.24","v1.44.23-stable","v1.44.23","v1.44.22-stable","v1.44.22","v1.44.21-stable","v1.44.21","v1.44.19-stable","v1.44.19","v1.44.18-stable","v1.44.18","v1.44.17-stable","v1.44.17","v1.44.16-stable","v1.44.16","v1.44.15-stable","v1.44.15","v1.44.14-stable","v1.44.14","v1.44.13-stable","v1.44.13","v1.44.12-stable","v1.44.12","v1.44.11-stable","v1.44.11","v1.44.10-stable","v1.44.10","v1.44.9","v1.44.8-dev1","v1.44.8","v1.44.7","v1.44.6-stable","v1.44.6","1.44.6","v1.44.5","v1.44.4.dev2","v1.44.4","v1.44.3","v1.44.2","v1.44.1","v1.43.19.dev2","v1.43.19-stable","v1.43.19","v1.43.19.dev1","v1.43.18-stable","v1.43.18","v1.43.17","v1.43.16-stable","v1.43.16","v1.43.15-stable","v1.43.15","v1.43.13-stable","v1.43.13","v1.43.12","v1.43.10-stable","v1.43.10","v1.43.9","v1.43.7-stable","v1.43.7","v1.43.6.dev1","v1.43.6-stable","v1.43.6","v1.43.5-stable","v1.43.5","v1.43.4.dev5","v1.43.4","v1.43.3","v1.43.2","v1.43.1","v1.43.1-dev1","v1.43.0","v1.42.12","v1.42.10-stable","v1.42.10","v1.42.11","v1.42.9-stable","v1.42.9.dev1","v1.42.9-stable-fix","v1.42.9","v1.42.8","v1.42.7-stable","v1.42.7","v1.42.6","v1.42.5-dev2","v1.42.5-dev1","v1.42.5-stable","v1.42.5","v1.42.4-stable","v1.42.4","v1.42.3-stable","v1.42.3","v1.42.2-stable","v1.42.2","v1.42.1","v1.42.0-stable","v1.42.0","v1.41.28","v1.41.27","v1.41.26","v1.41.26.dev1","v1.41.25","v1.41.24.dev1","v1.41.24","v1.41.22","v1.41.23-stable","v1.41.23","v1.41.21","v1.41.20","v1.41.19","v1.41.18","v1.41.15","v1.41.17","1.41.14.dev15","v1.41.14.dev10","v1.41.14.dev8","v1.41.13","v1.41.14","1.41.12.dev1","v1.41.12","1.41.11.dev5","v1.41.11.dev1","v1.41.8.dev2","v1.41.8.dev1","v1.41.11","v1.41.8","v1.41.7","v1.41.6.dev1","v1.41.5","v1.41.6","v1.41.5.dev1","v1.41.4.dev1","v1.41.4","v1.41.3.dev2","v1.41.3","v1.41.2-stable","v1.41.2","v1.41.1","v1.41.0-stable","v1.41.0","v1.40.31","v1.40.29","v1.40.28","v1.40.27","v1.40.26","v1.40.25","v1.40.24","v1.40.22","v1.40.21","v1.40.20","v1.40.19","v1.40.17","v1.40.16","v1.40.15","v1.40.14","v1.40.13","v1.40.12","v1.40.11","v1.40.10","v1.40.9-stable","v1.40.9","1.40.8.dev1","v1.40.8-stable","v1.40.8","v1.40.7.dev1","v1.40.7","v1.40.6","v1.40.5","v1.40.4","v1.40.3-stable","v1.40.3","v1.40.2-stable","v1.40.2","v1.40.1.dev4","v1.40.1.dev2","v1.40.1","v1.40.0","v1.39.6","v1.39.5","v1.39.5-stable","v1.39.4","v1.39.3","v1.39.2","v1.38.12","v1.38.11","v1.38.10","v1.38.8-stable","v1.38.8","v1.38.7-stable","v1.38.7","v1.38.5","v1.38.4-stable","v1.38.4","v1.38.3","v1.38.2","v1.37.20","v1.38.1","v1.38.0-stable","v1.38.0","v1.37.20.dev1","v1.37.19-stable","v1.37.19","v1.37.17","v1.37.16-stable","v1.37.16","v1.37.14","v1.37.13-stable","v1.37.13","v1.37.12.dev1","v1.37.12-stable","v1.37.12","v1.37.11","v1.37.10","v1.37.9-stable","v1.37.9","v1.37.7-stable","v1.37.7","v1.37.6","v1.37.5-stable","v1.37.5","v1.37.3-stable","v1.37.3","v1.37.2","v1.37.0","v1.36.4-stable","v1.36.4","v1.37.0.dev_version_headers","v1.36.3","v1.36.2-stable","v1.36.2","v1.36.1","v1.36.0","v1.35.38-stable","1.35.36.dev1","v1.35.38","v1.35.37","v1.35.36-dev2","v1.35.36","v1.35.35.dev1","v1.35.35","v1.35.34","v1.35.33.dev1","v1.35.33.dev3","v1.35.33.dev2","1.35.33.dev4","v1.35.33","v1.35.32.dev1","v1.35.32","v1.35.31","v1.35.30","v1.35.29","v1.35.28.dev1","v1.35.28","v1.35.26.dev1","v1.35.26","v1.35.25","1.35.24.dev6","v1.35.24.dev1","v1.35.24","v1.35.21-stable","v1.35.23","v1.35.21","v1.35.20.dev2","v1.35.20","v1.35.19","v1.35.18","v1.35.17","v1.35.16","v1.35.15-stable","v1.35.15","1.35.13.dev1","v1.35.14","v1.35.13","v1.35.10","v1.35.12","v1.35.11","v1.35.8.dev1","v1.35.8","v1.35.7","v1.35.6","v1.35.5","1.35.5.dev2","v1.35.4","v1.35.3","v1.35.2","v1.35.1.dev2","v1.35.1.dev1","v1.35.1","1.35.1.dev1","v1.35.0","v1.34.42","v1.34.41","1.34.39.dev1","v1.34.40","v1.34.39","v1.34.38","v1.34.37.dev1","v1.34.37","v1.34.36.dev2","v1.34.36","v1.34.35","1.34.35-stable","v1.34.34.dev1","v1.34.34","v1.34.33","1.34.2","v1.34.29","v1.32.33.dev1","1.34.28.dev3","v1.34.28","v1.34.28.dev12","v1.34.27","v1.34.26","v1.34.25","v1.34.21-stable","v1.34.23-stable","v1.34.22.dev15-stable","v1.34.22-stable","1.34.20-stable","stable","v1.32.33-stable","v.1.32.34-stable","v1.34.22","v1.34.21","v1.34.20","v1.34.19","v1.34.18","v1.34.17","v1.34.16","v1.34.14","v1.34.13","v1.34.12","v1.34.10","v1.34.10.dev1","v1.34.8.dev1","pr-litellm-spend-logs-db","v1.34.8","v1.34.6","v1.34.5","v1.34.4.dev2","v1.34.4.dev1","v1.34.4","v1.34.3","v1.34.1","v1.34.0","v1.33.9","v1.33.8","v1.33.7","v1.33.4","v1.33.3","v1.33.2","v1.33.1","v1.33.0","v1.32.9","v1.32.7.dev5","v1.32.7.dev1","v1.32.7.dev3","v1.32.7","v1.32.4","v1.32.3","v1.32.1","v1.31.17","v1.31.16","test","latest","v1.31.15","v1.31.14","v1.31.13","v1.31.12-dev3","v1.31.12-dev1","v1.31.12-dev","v1.31.12","v1.31.10","v1.31.9","v1.31.8","v1.31.7","v1.31.6","v1.31.5","v1.31.4","v1.31.3","v1.31.2","v1.30.7","v1.30.6","v1.30.5","v1.30.4","v1.30.3","v1.30.2","v1.30.1","v1.30.0","v1.29.7","v1.29.5","v1.29.4","v1.29.3","v1.29.1","v1.28.13","v1.28.11","v1.28.10","v1.28.9","v1.28.8","v1.28.7","v1.28.6","v1.28.0","v1.28.4","v1.28.3","v1.28.2","v1.28.1","v1.27.15","v1.27.14","v1.27.10","v1.27.9","v1.27.8","v1.27.7","v1.27.6","v1.27.4","v1.27.1","v1.26.13","v1.26.9","v1.26.11","v1.26.10","v1.26.8","v1.26.7","v1.26.6","v1.26.5","v1.26.4","v1.26.3","v1.26.2","v1.26.1","v1.26.0","v1.25.2","v1.25.0","v1.25.1","v1.24.6","v1.24.5","v1.24.3","v1.24.1","v1.23.16","v1.23.15","v1.23.14","v1.23.12","v1.23.10","v1.23.9","v1.23.8","v1.23.7","v1.23.5","v1.23.4","v1.23.3","v1.23.2","v1.23.1","v1.23.0","v1.22.11","v1.22.10","v1.22.9","v1.22.8","v1.22.5","v1.22.3","v1.22.2","v1.21.7","v1.21.6","v1.21.5","v1.21.4","v1.21.1","v1.21.0","v1.20.9","v1.20.8","v1.20.7","v1.20.6","v1.20.5","v1.20.3","v1.20.2","v1.20.1","v1.20.0","v1.19.6","v1.19.4","v1.19.3","v1.19.2","v1.19.0","v1.18.13","v1.18.12","v1.18.10","v1.18.11","v1.18.9","v1.18.8","v1.18.7","v1.18.6","v1.18.5","v1.18.4","v1.18.2","v1.18.1","v1.17.12","v1.18.0","v1.17.18","v1.17.16","v1.17.17","v1.17.15","v1.17.14","v1.17.13","v1.17.10","v1.17.9","v1.17.8","v1.17.7","v1.17.6","v1.17.5","v1.17.4","v1.17.3","v1.17.2","v1.17.1","v1.17.0","v1.16-test4","v1.16-test3","v1.16.20.dev3","v1.16-test2","v1.16.21","v1.16.20.dev1","v1.16.20","v1.16.17-test3","v1.16.17-test2","v1.16.17-test","v1.16.19","v1.16.6","v1.16.18","v1.16.17","v1.16.16","v1.16.15","1.16.14","v1.16.13","1.16.13","v1.16.3","v1.15.5","1.16.12","v1.15.0","v1.11.1","v1.10.4","v1.7.11","v1.7.1","v1.1.0","v0.11.1","v0.8.4","v0.1.738","v0.1.574","v0.1.492","v0.1.387"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-35030.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N"}]}