Recent research has uncovered a critical vulnerability chain in LiteLLM, an open-source AI gateway, that allows low-privileged users to escalate their privileges and execute arbitrary code on the server. This chain comprises three distinct vulnerabilities, each contributing to the overall risk.
Understanding the Vulnerabilities
The first vulnerability, identified as CVE-2026-47101, involves an authorization bypass. LiteLLM permits regular users to generate virtual API keys with specified access routes. However, the system fails to validate the ‘allowed_routes’ field against the user’s role. Consequently, a non-admin user can create a key with unrestricted access, effectively granting themselves administrative capabilities.
Building upon this, CVE-2026-47102 pertains to privilege escalation. The ‘/user/update’ endpoint allows users to modify their own records without restrictions on which fields can be altered. By updating their ‘user_role’ to ‘proxy_admin,’ a user can elevate their privileges to full administrative rights.
The third vulnerability, CVE-2026-40217, is a sandbox escape within the Custom Code Guardrail feature. This feature compiles and executes admin-supplied Python code. Due to inadequate filtering, the system executes code with full built-in functions, enabling attackers to run arbitrary commands on the server.
Potential Impact
Exploiting this vulnerability chain grants attackers access to sensitive information, including master keys, decryption keys for stored credentials, and database URLs. Additionally, all configured provider keys for services like OpenAI, Anthropic, Gemini, Bedrock, and Azure become accessible. This exposure compromises the confidentiality and integrity of data processed through the LiteLLM gateway.
Mitigation Measures
To address these vulnerabilities, LiteLLM maintainers have released version 1.83.14-stable, which includes patches for all three issues. Users are strongly advised to upgrade to this version or later to secure their systems. In environments where immediate patching isn’t feasible, implementing strict access controls and monitoring for unusual activity is recommended.
This incident underscores the importance of rigorous input validation and access control mechanisms in software development. Organizations should prioritize regular security assessments and prompt patching to mitigate the risks associated with such vulnerabilities.
