๐Ÿ” CVE Alert

CVE-2026-59820

UNKNOWN 0.0

LiteLLM: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CVSS Score
0.0
EPSS Score
0.3%
EPSS Percentile
24th

LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. Prior to 1.83.7-stable, LiteLLM Skills archive extraction did not sufficiently validate file paths from uploaded skill ZIP archives, allowing an authenticated user with access to LiteLLM LLM API routes or a key whose allowed_routes includes /v1/skills, anthropic_routes, or llm_api_routes to upload a crafted skill archive containing path traversal entries that could be written outside the intended extraction or staging directory. This issue is fixed in version 1.83.7-stable.

CWE CWE-22
Vendor berriai
Product litellm
Published Jul 8, 2026
Last Updated Jul 9, 2026
Stay Ahead of the Next One

Get instant alerts for berriai litellm

Be the first to know when new unknown vulnerabilities affecting berriai litellm are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

Affected Versions

BerriAI / litellm
< 1.83.7-stable

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/BerriAI/litellm/security/advisories/GHSA-5jmr-gcrj-2c9q github.com: https://github.com/BerriAI/litellm/pull/25475 github.com: https://github.com/BerriAI/litellm/commit/6a15adcd64137d37f73dee76dfe7481f8c2d9196 github.com: https://github.com/BerriAI/litellm/releases/tag/v1.83.7-stable