Use of Password Hash With Insufficient Computational Effort Affecting litellm package, versions [,1.83.0)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsSnyk Learn
Learn about Use of Password Hash With Insufficient Computational Effort vulnerabilities in an interactive lesson.
Start learning- Snyk IDSNYK-PYTHON-LITELLM-15928842
- published8 Apr 2026
- disclosed8 Apr 2026
- creditUnknown
Introduced: 8 Apr 2026
New CVE NOT AVAILABLE CWE-327 (opens in a new tab)How to fix?
Upgrade litellm to version 1.83.0 or higher.
Overview
litellm is a Library to easily interface with LLM API providers
Affected versions of this package are vulnerable to Use of Password Hash With Insufficient Computational Effort via the user/info, user/update, and spend/users API endpoints, which return password hash fields in responses to any authenticated user. An attacker can gain unauthorized access to other user accounts and escalate privileges by retrieving password hashes and using them to authenticate directly through the v2/login endpoint.