5 min read
News Brief A new critical authentication bypass in LiteLLM lets attackers manipulate the HTTP Host header to access protected management endpoints without credentials. Fixed in version 1.84.0, disclosed June 17.
A new critical authentication bypass in LiteLLM lets attackers manipulate the HTTP Host header to access protected management endpoints without credentials. Fixed in version 1.84.0, disclosed June 17.
CISA added CVE-2026-42271 to KEV after Horizon3.ai chained the LiteLLM MCP command injection flaw with a Starlette auth bypass for unauthenticated RCE. Federal deadline: June 22.
A practical framework for implementing prompt injection detection at the API gateway layer: input sanitisation, context isolation, output filtering, and anomaly detection.