Researchers from Obsidian Security have identified a critical vulnerability chain in LiteLLM, an open-source AI gateway. This flaw enables users with low-level privileges to escalate their permissions to full administrative access, potentially leading to server control. LiteLLM facilitates connections to over 100 AI models through a singular OpenAI-compatible interface, making it a critical infrastructure component.
Details of the Vulnerabilities
The vulnerability chain, which Obsidian rates as critical with a CVSS score of 9.9, involves three specific flaws. The first, CVE-2026-47101, is an authorization bypass. It allows users to create API keys with unrestricted access due to inadequate role-based checks on the allowed_routes field. This oversight permits non-admin users to gain unauthorized access to admin-only routes.
The second, CVE-2026-47102, involves privilege escalation. By exploiting the /user/update endpoint, a user can modify their role to ‘proxy_admin’ without proper validation. This escalation can occur naturally for an org_admin or through the bypass created by the first vulnerability.
The third flaw, CVE-2026-40217, is a sandbox escape within the Custom Code Guardrail. This vulnerability allows for server-side code execution using Python’s exec() function, which lacks appropriate source-level filtering. This flaw can be exploited to execute arbitrary code on the server.
Potential Consequences and Risks
The implications of exploiting this vulnerability chain are significant. An attacker gaining full control of a LiteLLM server could access sensitive data, including provider keys and decrypted credentials. Additionally, every prompt and response passing through the server becomes exposed, potentially compromising personal and proprietary information.
Moreover, the ability to alter responses between AI agents and models elevates the risk. Obsidian demonstrated how an attacker could manipulate responses using LiteLLM’s callback mechanism, bypassing detection in the admin UI. This could lead to unauthorized actions masquerading as legitimate operations.
Mitigation and Future Outlook
To mitigate these risks, users are advised to upgrade to LiteLLM version 1.83.14-stable or later. This release includes patches for the identified vulnerabilities. Organizations should conduct thorough audits to re-verify accounts with proxy_admin access and examine Custom Code Guardrails for potential threats.
Given LiteLLM’s critical role in AI infrastructure, maintaining vigilance is essential. Regularly rotating provider keys, inspecting callback configurations, and verifying code integrity are crucial steps in safeguarding against future exploits.
While the current vulnerabilities have not been seen exploited in the wild, the strategic position of LiteLLM in AI ecosystems makes it a persistent target. Continual updates and proactive security measures are key to mitigating threats and ensuring data integrity.
