host header injection

Jun 19, 2026 5 min read

LiteLLM CVE-2026-49468: Host Header Hijack Bypasses AI Gateway Auth

A new critical authentication bypass in LiteLLM lets attackers manipulate the HTTP Host header to access protected management endpoints without credentials. Fixed in version 1.84.0, disclosed June 17.