Critical LiteLLM Vulnerability Chain Rated CVSS 9.9: Low-Privilege Users Can Achieve Full Server Takeover
A chained trio of vulnerabilities in widely-deployed LiteLLM AI gateway lets default accounts escalate to admin and execute arbitrary code.
The Vulnerability Chain
A default low-privilege account on a LiteLLM proxy can climb to full admin and run code on the server by chaining three vulnerabilities: CVE-2026-47101, CVE-2026-47102, and CVE-2026-40217.
LiteLLM is a widely deployed open-source AI gateway that brokers calls to more than 100 model providers behind one OpenAI-compatible interface. Obsidian Security rates the full vulnerability chain CVSS 9.9, in the Critical range.
Attack Chain Breakdown
CVE-2026-47101 is an authorization bypass where a regular user can mint a virtual API key with allowed_routes set to [”/*”] to reach admin-only routes.
CVE-2026-47102 allows a user to edit their own record via the /user/update endpoint and promote themselves to proxy_admin by writing user_role: “proxy_admin”.
CVE-2026-40217 is a sandbox escape in LiteLLM’s Custom Code Guardrail where Python code execution through exec() without source-level filtering allows attackers to access builtins and execute arbitrary code.
Impact on Compromised Deployments
A server takeover via the LiteLLM vulnerability chain exposes every provider key it holds, the secrets that decrypt its stored credentials, and every prompt and response passing through it.
Beyond credential theft, a compromised LiteLLM proxy can alter AI agent responses in transit by using its built-in callback mechanism to forge tool calls and rewrite safety-check context.
LiteLLM hands a proxy_admin an intentional code-execution path through its MCP support that lets an admin register stdio MCP servers that the proxy launches as local subprocesses.
Patch Available
BerriAI, the maintainer of LiteLLM, included the complete fix set in LiteLLM v1.83.14-stable, which GitHub lists as released May 2.
Recent LiteLLM Security History
This vulnerability chain arrives amid a pattern of critical issues in LiteLLM. In March 2026, a supply-chain compromise backdoored two LiteLLM releases on PyPI. In April 2026, a critical SQL injection vulnerability in LiteLLM was exploited within 36 hours of disclosure.
Source: The Hacker News