Threat Advisory

LiteLLM Vulnerabilities Allow Privilege Escalation via API

Threat: Vulnerability
Targeted Region: Global
Targeted Sector: Technology & IT
Criticality: High
[subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

Multiple security vulnerabilities have been identified in LiteLLM, an open‑source AI gateway used to proxy requests to over 100 model providers. A chain of three flaws – an authorization bypass, a privilege‑escalation flaw, and a sandbox escape that leads to remote code execution – enables a low‑privilege user to gain full admin rights and execute arbitrary code on the server. Successful exploitation would expose all provider API keys, decryption salts, stored credentials, and any data passing through the gateway, including proprietary prompts, responses, and potentially PII. The risk is a complete compromise of AI‑driven workflows and data leakage.[/subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

Multiple security vulnerabilities have been identified in LiteLLM, an open‑source AI gateway used to proxy requests to over 100 model providers. A chain of three flaws – an authorization bypass, a privilege‑escalation flaw, and a sandbox escape that leads to remote code execution – enables a low‑privilege user to gain full admin rights and execute arbitrary code on the server. Successful exploitation would expose all provider API keys, decryption salts, stored credentials, and any data passing through the gateway, including proprietary prompts, responses, and potentially PII. The risk is a complete compromise of AI‑driven workflows and data leakage.[emaillocker id="1283"]

  • CVE-2026-47101 – An authorization bypass allows a non‑admin user to create a virtual API key with an allowed_routes field set to ["/*"], granting unrestricted access to all proxy routes, including admin‑only endpoints.
  • CVE-2026-47102 with a CVSS score of 8.8 – A privilege‑escalation flaw lets a user update their own record via /user/update and set user_role to "proxy_admin", promoting the caller to full proxy administrator without additional checks.
  • CVE-2026-40217 – A sandbox escape in the Custom Code Guardrail executes admin‑supplied Python via exec() without a restricted builtins dictionary, enabling arbitrary system calls and remote code execution.
  • CVE-2026-42271 – An MCP preview endpoint vulnerability permits callers to spawn subprocesses on the host, allowing attackers to achieve code execution through the proxy’s Model Context Protocol support.

These chained vulnerabilities give an attacker the ability to take full control of the LiteLLM gateway, exfiltrate sensitive AI model keys and data, and manipulate model responses to drive downstream systems. Organizations relying on LiteLLM for AI integration face immediate risk of data breach, loss of intellectual property, and potential operational disruption, making rapid remediation essential.

RECOMMENDATION:

  • We recommend you to update LiteLLM to version v1.83.14-stable or later.

REFERENCES:

The following reports contain further technical details:
https://thehackernews.com/2026/06/litellm-vulnerability-chain-lets-low.html

[/emaillocker]
crossmenu