{"id":273700,"date":"2026-06-15T12:39:00","date_gmt":"2026-06-15T16:39:00","guid":{"rendered":"https:\/\/news-you-need.com\/index.php\/2026\/06\/15\/litellm-vulnerability-chain-lets-low-privilege-users-take-over-ai-gateway-servers\/"},"modified":"2026-06-15T13:55:22","modified_gmt":"2026-06-15T17:55:22","slug":"litellm-vulnerability-chain-lets-low-privilege-users-take-over-ai-gateway-servers","status":"publish","type":"post","link":"https:\/\/news-you-need.com\/index.php\/2026\/06\/15\/litellm-vulnerability-chain-lets-low-privilege-users-take-over-ai-gateway-servers\/","title":{"rendered":"LiteLLM Vulnerability Chain Lets Low-Privilege Users Take Over AI Gateway Servers"},"content":{"rendered":"<p><a href=\"https:\/\/thehackernews.com\/2026\/06\/litellm-vulnerability-chain-lets-low.html\">LiteLLM Vulnerability Chain Lets Low-Privilege Users Take Over AI Gateway Servers<\/a><\/p>\n<p><a href=\"https:\/\/thehackernews.com\/2026\/06\/litellm-vulnerability-chain-lets-low.html\">https:\/\/thehackernews.com\/2026\/06\/litellm-vulnerability-chain-lets-low.html<\/a><\/p>\n<p>Publish Date: <a href=\"publish_date]\">2026-06-15 12:39:00<\/a><\/p>\n<p>Source Domain: <a href=\"thehackernews.com\">thehackernews.com<\/a><\/p>\n<p>A default low-privilege account on a LiteLLM proxy can climb to full admin and run code on the server by chaining three vulnerabilities, researchers at Obsidian Security disclosed<\/p>\n<p>LiteLLM is a widely deployed open-source AI gateway that brokers calls to more than 100 model providers behind one OpenAI-compatible interface.<\/p>\n<p>A server takeover exposes every provider key it holds, the secrets that decrypt its stored credentials, and every prompt and response passing through it.<\/p>\n<p>Obsidian rates the full chain CVSS 9.9, in the Critical range. BerriAI, the maintainer, included the complete fix set in LiteLLM v1.83.14-stable, which GitHub lists as released May 2. Upgrade to that release or later to close the three-CVE chain.<\/p>\n<h2>The three bugs<\/h2>\n<p>The first link is CVE-2026-47101, an authorization bypass. When a regular user (an internal_user) generates a virtual API key, LiteLLM stores the caller-supplied allowed_routes field without checking it against the user&#8217;s role.<\/p>\n<p>The field is supposed to narrow what a key can do. Instead, the proxy also treats it as a fallback grant, so a non-admin can mint a key with allowed_routes: [&#8220;\/*&#8221;], a wildcard that reaches every route, including admin-only ones. The same unchecked write shows up on the other key-management endpoints, which is why the fix took three pull requests to land.<\/p>\n<p>With the route gate bypassed, the handlers behind it become reachable. Several of them assume the gate has already done the screening, which opens two paths.<\/p>\n<p>One is CVE-2026-47102, privilege escalation. The \/user\/update endpoint lets a user edit their own record, but does not restrict which fields they can write. A self-update with user_role: &#8220;proxy_admin&#8221; is accepted and saved, promoting the caller to full proxy admin. An org_admin can hit this endpoint through a legitimate, intended code path with no bypass required; a default internal_user reaches it after CVE-2026-47101.<\/p>\n<p>VulnCheck, which assigned the CVE, scores it 8.7 under CVSS 4.0, 8.8 under&#8230;<\/p>\n<p><a href=\"https:\/\/thehackernews.com\/2026\/06\/litellm-vulnerability-chain-lets-low.html\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>LiteLLM Vulnerability Chain Lets Low-Privilege Users Take Over AI Gateway Servers https:\/\/thehackernews.com\/2026\/06\/litellm-vulnerability-chain-lets-low.html Publish Date: 2026-06-15&#8230;<\/p>\n","protected":false},"author":1,"featured_media":273702,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjiH9LcMRhk5Li59rG05yXoOOofNzGpeG1MMSKQqhFCGW_28n0SjLKd9D4MC68N7jPP6dF2h2l8gW1OE7Y7akY2fckld2w1UKa3itsrCKeDjo_2vgzuvL3HxZpJ5naBx5LgPdjxhekaFONzBtR9SoJw-ugGVXOuceLQQPvJzcj7SSCgbRsqurOgnIgZppo\/s1600\/litellm.jpg","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[26,27],"class_list":["post-273700","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-ai","tag-vulnerability"],"_links":{"self":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/273700"}],"collection":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=273700"}],"version-history":[{"count":1,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/273700\/revisions"}],"predecessor-version":[{"id":273703,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/273700\/revisions\/273703"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/273702"}],"wp:attachment":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=273700"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=273700"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=273700"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}