CVE-2026-35030
LiteLLM: Authentication bypass via OIDC userinfo cache key collision
Description
### Impact When JWT authentication is enabled (`enable_jwt_auth: true`), the OIDC userinfo cache uses `token[:20]` as the cache key. JWT headers produced by the same signing algorithm generate identical first 20 characters. This configuration option is not enabled by default. **Most instances are not affected.** An unauthenticated attacker can craft a token whose first 20 characters match a legitimate user's cached token. On cache hit, the attacker inherits the legitimate user's identity and permissions. This affects deployments with JWT/OIDC authentication enabled. ### Patches Fixed in v1.83.0. The cache key now uses the full hash of the JWT token. ### Workarounds Disable OIDC userinfo caching by setting the cache TTL to 0, or disable JWT authentication entirely.
How to fix CVE-2026-35030
To remediate CVE-2026-35030, upgrade the affected package to a fixed version below.
- —upgrade to 1.83.0 or later
Is CVE-2026-35030 being exploited?
Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- from 0, < 1.83.0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N |