From 2a6f74166193922d72ec40029a7132e3a475fac5 Mon Sep 17 00:00:00 2001
From: ChenGabbay <your-email@example.com>
Date: Sun, 19 Apr 2026 16:14:11 +0300
Subject: [PATCH] Bump litellm from 1.82.2 to 1.83.0 (CVE-2026-35030)

litellm < 1.83.0 is vulnerable to OIDC authentication bypass via JWT
cache collision (CVE-2026-35030 / GHSA-jjhc-v7c2-5hh6). The flaw is in
the OIDC userinfo caching mechanism which uses only the first 20
characters of a JWT token as the cache key, allowing an attacker to
craft a token that collides with a legitimate user's cached entry.

Bump the pinned version to 1.83.0 which fixes the cache key to use
the full hash of the JWT token.

Reference: https://github.com/advisories/GHSA-jjhc-v7c2-5hh6

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 pyproject.toml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pyproject.toml b/pyproject.toml
index c82b901..61e9c08 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -99,7 +99,7 @@ dependencies = [
     "fastjsonschema (>=2.21.2,<3.0.0)",
     "genai-prices==0.0.55", # pin version due to frequent API changes
     "jinja2 (>=3.1.5,<4.0.0)",
-    "litellm==1.82.2", # pin version due to occasional instability between patches and minor versions
+    "litellm==1.83.0", # pin version due to occasional instability between patches and minor versions (bumped for CVE-2026-35030)
     "lxml (>=5.4.0,<7.0.0)",
     "openai==2.21.0", # pinned version for stable compatibility with litellm (after issue with 1.100.0)
     "pillow (>=11.3.0,<12.0.0)",