CVE-2026-35030 (CVSS 9.4): How LiteLLM's JWT Cache Fails and How to Rotate Credentials After the Supply Chain Attack

Introduction

Two critical CVEs in LiteLLM landed this week. CVE-2026-35030 is CVSS 9.4. CVE-2026-35029, CVSS 8.7, chains into remote code execution on the proxy. Both are patched in 1.83.0. Running alongside them: the LiteLLM supply chain attack that has been active since mid-March claimed its first named victim, Mercor, with 4 TB of data exfiltrated and 33,185 unique secrets compromised.

This covers the mechanics of both CVEs, how to verify your exposure, and a credential rotation checklist if you installed the compromised versions.

CVE-2026-35030: The JWT Cache Problem

LiteLLM caches OIDC userinfo to avoid querying the identity provider on every request. The cache key is the first 20 characters of the JWT token.

JWT tokens from the same OIDC provider share algorithm metadata in the header, which means their base64 representations often start with the same characters. Two tokens from the same provider frequently share the same first 20 characters and therefore the same cache key. An authenticated low-privilege user can obtain a token from the same identity provider and have their requests served as a cached high-privilege user. No credential theft needed.

Conditions: Requires enable_jwt_auth:true. Not enabled by default. The fix in 1.83.0 uses a full token hash as the cache key.

CVE-2026-35029: The Config Endpoint

The /config/update endpoint manages proxy settings, environment variable overrides, and pass-through handler registration. Handlers are Python callables the proxy executes during request processing.

The endpoint was documented as admin-only. Authorization was not enforced. Any authenticated user could call it.

The full attack chain combining both CVEs:

1. Use CVE-2026-35030 to impersonate an admin via cache collision
2. Call /config/update as that admin to register a malicious handler
3. The handler executes arbitrary Python on the LiteLLM proxy
4. Read credentials, move laterally

Both CVEs are fixed in 1.83.0.

Check and Patch

pip show litellm

If below 1.83.0:

pip install --upgrade litellm

If you cannot upgrade immediately: disable enable_jwt_auth and restrict /config/update to trusted network segments only.

The Supply Chain Attack: 1.82.7 and 1.82.8

Separate from the CVEs, but overlapping the same window. TeamPCP published trojanized versions 1.82.7 and 1.82.8 to PyPI in mid-March. The infostealer targeted credential storage specific to AI dev environments: .env files, ~/.aws/credentials, shell profiles, terminal history, IDE settings, and agent memory files.

Scope as of April 6: 6,943 compromised developer machines, 33,185 unique secrets extracted, 3,760 still valid. 59% CI/CD runners. Mercor confirmed as the first named victim: 4 TB including source code, databases, cloud storage, and verification workflows.

LiteLLM is a dependency for 1,705 PyPI packages including dspy (5M monthly downloads), opik (3M), and crawl4ai (1.4M). A developer who installed any of these in a fresh environment during March may have pulled the trojanized code indirectly.

pip show litellm | grep Version

If you see 1.82.7 or 1.82.8, proceed to credential rotation.

Credential Rotation Checklist

Cloud credentials:

1. AWS: create a new access key, delete the old one, review CloudTrail for unusual API calls
2. GCP: rotate service account keys, check audit logs
3. Azure: rotate Key Vault secrets, check activity logs

API keys and shell history:

1. Check every .env file in repositories the machine accessed. Rotate anything there.
2. cat ~/.bash_history and cat ~/.zsh_history. Any key in either file should be considered compromised.

SSH keys:

1. ssh-keygen -t ed25519 -C "new-key", remove the old public key from ~/.ssh/authorized_keys on all servers, update in GitHub/GitLab.

CI/CD:

1. Rotate all secrets in your CI/CD system.
2. Audit pipeline execution history for March. Look for unusual outbound network calls.

How Armor1 Catches This

This is the kind of vulnerability Armor1's dependency scanner catches automatically. For MCP servers listing LiteLLM as a dependency, the dependency risk scan flags CVE-2026-35030 (CVSS 9.4) and CVE-2026-35029 (CVSS 8.7) for any server running litellm < 1.83.0.

Run a scan on your MCP servers: https://dub.sh/ltQxgD8, free, no credit card.