LiteLLM Vulnerability Chain Lets Low-Privilege Users Take Over AI Gateway Servers

Staff Editor 2026-06-15
LiteLLM Vulnerability Chain Lets Low-Privilege Users Take Over AI Gateway Servers

LiteLLM Vulnerability Chain Lets Low-Privilege Users Take Over AI Gateway Servers

https://thehackernews.com/2026/06/litellm-vulnerability-chain-lets-low.html

Publish Date: 2026-06-15 12:39:00

Source Domain: thehackernews.com

A default low-privilege account on a LiteLLM proxy can climb to full admin and run code on the server by chaining three vulnerabilities, researchers at Obsidian Security disclosed

LiteLLM is a widely deployed open-source AI gateway that brokers calls to more than 100 model providers behind one OpenAI-compatible interface.

A server takeover exposes every provider key it holds, the secrets that decrypt its stored credentials, and every prompt and response passing through it.

Obsidian rates the full chain CVSS 9.9, in the Critical range. BerriAI, the maintainer, included the complete fix set in LiteLLM v1.83.14-stable, which GitHub lists as released May 2. Upgrade to that release or later to close the three-CVE chain.

The three bugs

The first link is CVE-2026-47101, an authorization bypass. When a regular user (an internal_user) generates a virtual API key, LiteLLM stores the caller-supplied allowed_routes field without checking it against the user’s role.

The field is supposed to narrow what a key can do. Instead, the proxy also treats it as a fallback grant, so a non-admin can mint a key with allowed_routes: [“/*”], a wildcard that reaches every route, including admin-only ones. The same unchecked write shows up on the other key-management endpoints, which is why the fix took three pull requests to land.

With the route gate bypassed, the handlers behind it become reachable. Several of them assume the gate has already done the screening, which opens two paths.

One is CVE-2026-47102, privilege escalation. The /user/update endpoint lets a user edit their own record, but does not restrict which fields they can write. A self-update with user_role: “proxy_admin” is accepted and saved, promoting the caller to full proxy admin. An org_admin can hit this endpoint through a legitimate, intended code path with no bypass required; a default internal_user reaches it after CVE-2026-47101.

VulnCheck, which assigned the CVE, scores it 8.7 under CVSS 4.0, 8.8 under…

Source

More Stories

Cybersecurity executives urge the Trump administration to ease restrictions on Anthropic AI models

Cybersecurity executives urge the Trump administration to ease restrictions on Anthropic AI models

Staff Editor 2026-06-15
Australian Sugar Producer Mackay Sugar Reports Cyber Incident

Australian Sugar Producer Mackay Sugar Reports Cyber Incident

Staff Editor 2026-06-15
NSPM-12: The NSS cyber memo agencies cannot ignore

NSPM-12: The NSS cyber memo agencies cannot ignore

Staff Editor 2026-06-15

Terms and Conditions - Privacy Policy