What happened
A security flaw in BerriAI LiteLLM up to version 1.82.5 allows incorrect authorization in the async_pre_call_hook function of enterprise/enterprise_hooks/banned_keywords.py (Completions Interface). Manipulation of the prompt argument results in incorrect authorization, allowing bypassing of enterprise keyword-banning controls. CVSS 6.3 Medium; published 2026-06-21.
Why it matters
Enterprise deployments of LiteLLM use the banned-keywords hook as a security policy control to prevent specific prompt content from reaching LLM providers. A bypass defeats content-policy enforcement in AI gateways, enabling prompt injection of prohibited content or regulatory compliance violations in enterprise AI pipelines.
Attack vector
Crafted prompt argument sent to the Completions Interface bypasses the async_pre_call_hook keyword-ban enforcement.
Affected systems
LiteLLM (BerriAI) ≤ 1.82.5 (Enterprise edition, banned_keywords hook)
Mitigation
Upgrade LiteLLM to ≥ 1.84.0. NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-12797