LiteLLM Three-CVE Chain Enables Full Server Takeover
Key insights
- Obsidian Security found a three-CVE chain in LiteLLM rated CVSS 9.9, exploitable from any default low-privilege account.
- CVE-2026-40217 exploits LiteLLM's Custom Code Guardrail exec() which silently injects Python builtins, enabling reverse shell execution.
- A full compromise exposes master encryption keys, all provider API keys, and every prompt and response transiting the gateway.
Why this matters
LiteLLM functions as the single routing layer for every AI model call in many organizations, meaning a full compromise hands an attacker every configured provider API key, every prompt and response, and the ability to silently forge model outputs in transit. The exploit chain requires only a default low-privilege account, so any organization that has granted contractors, trial users, or internal teams access to a shared LiteLLM proxy is fully exposed until they upgrade to v1.83.14-stable. This disclosure establishes that AI gateways consolidate risk in direct proportion to how they consolidate access, making shared proxy deployments a high-value target for any actor seeking broad multi-provider AI infrastructure access.
Summary
Obsidian Security disclosed a three-CVE chain in LiteLLM, the open-source AI gateway for 100+ model providers, that lets any low-privilege user take full admin control and run arbitrary code on the server.
CVE-2026-47101 exploits missing validation on a caller-supplied route field to generate wildcard API key access. CVE-2026-47102 enables self-promotion to proxy_admin via the unguarded /user/update endpoint. CVE-2026-40217 turns the Custom Code Guardrail exec() into a reverse shell by silently injecting Python builtins.
Essentially: (Obsidian Security, LiteLLM) CVSS 9.9 full takeover from a default account.
- Compromise exposes master encryption keys, all configured provider API keys (OpenAI, Anthropic, Gemini, Bedrock, Azure), and every prompt and response in transit.
- Attackers can also forge AI model responses using LiteLLM's callback mechanism.
- Fix: v1.83.14-stable, released May 2.
A shared AI gateway is a single exploit away from total credential and inference compromise.
Potential risks and opportunities
Risks
- Organizations running LiteLLM in multi-tenant environments where contractors or external users hold low-privilege accounts face theft of all configured provider API keys (OpenAI, Anthropic, Gemini, Bedrock, Azure) until they deploy v1.83.14-stable
- Any LiteLLM deployment used as an MCP or agent gateway risks OAuth token and tool credential theft, per the article's enumeration of full-compromise exposure
- Unpatched LiteLLM proxies can be used to forge AI model responses in transit via the callback mechanism, enabling silent inference manipulation for any downstream application
Opportunities
- AI security vendors with proxy-layer monitoring capabilities (Protect AI, Lakera, Prompt Security) can position LiteLLM-specific detection rules as an urgent offering for customers
- Managed, security-hardened AI gateway services gain a concrete differentiator over self-hosted open-source LiteLLM deployments following a CVSS 9.9 disclosure
- Security audit firms and penetration testing practices gain a documented entry point for AI infrastructure engagements, with routing-layer security now a named and publicly exploited attack surface
What we don't know yet
- Whether any production LiteLLM deployments were actively exploited before Obsidian Security's disclosure and before the May 2 patch release
- Which specific LiteLLM versions going back to which release are affected by all three CVEs in the chain
- Whether the callback mechanism forgery capability requires the full three-CVE escalation chain or is independently exploitable by other means
Originally reported by thehackernews.com
Read the original article →Original headline: LiteLLM Three-CVE Chain (CVSS 9.9): Any Low-Privilege User Can Take Over AI Gateway Server and Execute Arbitrary Code