docs(blog): security hardening April 2026 post

[ishaan-berri]

Relevant issues

N/A

What

Adds the April 2026 security hardening blog post disclosing:

• CVE-2026-35030: Authentication bypass via OIDC cache collision (Critical, JWT auth only)
• CVE-2026-35029: Privilege escalation via /config/update (High)
• Password hash exposure + pass-the-hash login (High)

All fixed in v1.83.0. Also announces the bug bounty program.

Pre-Submission checklist

• No code changes (docs only)

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
litellm	Building	Preview, Comment	Apr 3, 2026 8:03pm

[codspeed-hq]

Merging this PR will not alter performance

✅ 16 untouched benchmarks

---

_{Comparing worktree-hidden-tinkering-manatee (3aa42c4) with main (d4a3a5e)¹}

Footnotes

1. No successful run was found on litellm_ishaan_docs_2 (d4a3a5e) during the generation of this report, so main (d4a3a5e) was used instead as the comparison base. There might be some changes unrelated to this pull request in this report. ↩

[greptile-apps]

Greptile Summary

This is a documentation-only PR adding the April 2026 security hardening blog post. It discloses three vulnerabilities fixed in v1.83.0 — a critical JWT/OIDC cache-key collision (CVE-2026-35030), a privilege escalation on /config/update (CVE-2026-35029), and a password hash exposure / pass-the-hash login chain (GHSA-69x8-hrgq-fjj8) — and announces the new bug bounty program.

• The technical descriptions are accurate and consistent with the known vulnerability details (e.g. token[:20] cache key → sha256(token), scrypt replacement for SHA-256, proxy_admin gate on /config/update).
• CVE/GHSA identifiers and their linked GitHub advisory URLs are internally consistent throughout the post.
• One minor style nit: the bug bounty section mixes P0/P1 priority labels in prose with Critical/High severity labels in the table — these are different schemes and could confuse researchers. Aligning both to Critical/High (the CVSS vocabulary used everywhere else in the post) would improve clarity.
• No code changes; all custom rules are inapplicable to this PR.

Confidence Score: 5/5

Safe to merge — docs-only change with no code impact and accurate security disclosures.

Single documentation file added; no code changes, no test changes, and no architectural impact. The only finding is a P2 style nit (severity label inconsistency in the bug bounty table) that does not block merge.

No files require special attention.

Important Files Changed

Filename	Overview
docs/my-website/blog/security_hardening_april_2026/index.md	New security blog post disclosing three vulnerabilities (CVE-2026-35030, CVE-2026-35029, GHSA-69x8-hrgq-fjj8) fixed in v1.83.0; content is accurate and links are internally consistent, with one minor P0/P1 vs Critical/High label mismatch in the bug bounty table.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[Request with JWT] --> B{enable_jwt_auth enabled?}
    B -- No --> C[Standard API key auth]
    B -- Yes --> D[OIDC UserInfo lookup]
    D --> E{Cache hit?}
    E -- Hit OLD --> F[Return cached userinfo\nVulnerable: cache keyed on first 20 chars\nCVE-2026-35030]
    E -- Miss --> G[Fetch from OIDC provider]
    G --> H[Store in cache\nFixed: cache keyed on full hash\nv1.83.0]
    H --> I[Return userinfo]

Loading

_{Reviews (1): Last reviewed commit: "docs(blog): add security hardening April..." | Re-trigger Greptile}

[CLAassistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}

[greptile-apps]

Severity label mismatch in bug bounty section

The introductory sentence uses P0/P1 priority labels, but the table immediately below uses Critical/High severity labels — these are different classification schemes and a researcher reading this might be confused about which system applies. Consider aligning them to one vocabulary throughout (CVSS-style Critical/High is the standard used by the rest of the post).

Suggested change

	Bounties are currently paid for P0 (supply chain) and P1 (unauthenticated proxy access) vulnerabilities:
	| Severity | Bounty | Example |
	|----------|--------|---------|
	| Critical | $1,500 – $3,000 | Supply chain compromise |
	| High | $500 – $1,500 | Unauthenticated access to protected data |
	Bounties are currently paid for Critical (supply chain) and High (unauthenticated proxy access) vulnerabilities:
	| Severity | Bounty | Example |
	|----------|--------|---------|
	| Critical | $1,500 – $3,000 | Supply chain compromise |
	| High | $500 – $1,500 | Unauthenticated access to protected data |

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!