theorydeltaclaim-fidelity audits
built 2026-07-17dossiers: 5last verified 2026-07-09independent · evidence-traced · no vendor influence
← back to LiteLLM dossier

CLAIM 9 / LiteLLM

Centralized API gateway with authentication & authorization; virtual keys for secure access control (docs.litellm.ai comparison table, captured 2026-06-11)

partial

Observed

Source-reviewed: the auth layer exists and functions, but its 2026 security record materially qualifies 'secure': 7 GitHub security advisories published 2026-04-03 through 2026-05-07, including a Critical OIDC authentication bypass (GHSA-jjhc-v7c2-5hh6) and a Critical SQL injection in the API key verification path (GHSA-r75f-5x8p-qvmc) — both patched; a JWT signature-verification bypass report was closed not-planned with no fix merged (#20500, 2026-02-06); PyPI releases 1.82.7-1.82.8 carried credential-stealing malware via a compromised CI scanner (March 2026 supply-chain incident, vendor-disclosed).

  1. UPDATE 2026-06-28: an 8th Critical advisory — Host Header Injection (GHSA-4xpc-pv4p-pm3w, CVSS 9.5, disclosed 2026-05-28) — was patched in v1.84.0; current stable v1.90.0 is safe.

Evidence

Verification

verified 2026-07-12 · by probe-ci · probe probes/litellm/claim-9/

theorydelta.com · 2026independent · evidence-backed · every claim sourced or labelledabout ·glossary ·rss ·mcp ·llms.txt