CVE-2026-35030 - Vulnerability Analysis
CriticalCVSS: 9.1Last Updated: April 7, 2026
LiteLLM - Broken Access Control
Published: April 6, 2026Updated: April 7, 2026Remote Exploitable
Overview
LiteLLM < 1.83.0 contains a broken access control vulnerability caused by using the first 20 characters of JWT tokens as cache keys in OIDC userinfo cache, letting unauthenticated attackers inherit legitimate user identities, exploit requires JWT/OIDC authentication enabled.
Severity & Score
Severity: Critical
CVSS Score: 9.1
Impact
Unauthenticated attackers can impersonate legitimate users, gaining their permissions and access.
Mitigation
Update to version 1.83.0 or later.
Related Resources
Details
- CVE ID
- CVE-2026-35030
- Severity
- Critical
- CVSS Score
- 9.1
- Type
- broken_access_control
- Status
- confirmed
CWE
- CWE-287
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N