What happened
CVE-2026-49468 (CVSS 9.5 Critical) is a host-header injection authentication bypass in LiteLLM versions before 1.84.0, disclosed on 2026-06-19. The flaw stems from a mismatch between how the auth middleware resolves the route (from the Host header) and how FastAPI ultimately dispatches the request (from the URI). A crafted Host value causes the auth layer to evaluate a harmless path while the request reaches a protected management endpoint. This is a distinct vulnerability from the previously-covered CVE-2026-42271 (command injection/RCE, CISA KEV) and the Obsidian privilege-escalation chain; it provides a standalone unauthenticated path to protected API management routes.
Why it matters
LiteLLM acts as a central credential vault and routing broker for an organisation's entire AI stack. Bypassing authentication exposes all stored provider API keys (OpenAI, Anthropic, etc.), model routing configuration, and internal management APIs. When chained with the previously disclosed RCE (CVE-2026-42271), this auth bypass becomes the unauthenticated entry point for full host compromise.
Attack vector
The LiteLLM authentication layer derives the effective route path from the HTTP Host header (via Starlette's request.url.path reconstruction), while FastAPI dispatches on the actual URI. By crafting a malicious Host header value, an unauthenticated attacker can make the auth layer evaluate a different (permitted) route while FastAPI routes the request to a protected management endpoint, bypassing authentication entirely
Affected systems
LiteLLM < 1.84.0
Mitigation
Upgrade LiteLLM to version 1.84.0 or later (no configuration change required). Place a reverse proxy with strict Host header validation (e.g., Cloudflare, nginx server_name allowlist) in front of exposed instances. Advisory: https://securityonline.info/litellm-authentication-bypass/