thehackernews.com web signal

LiteLLM Three-CVE Chain Enables Full Server Takeover

5 sources tracking this story
cybersecurity agents enterprise ai ai-security vulnerability

Key insights

  • A default viewer account with no elevated permissions is sufficient to start the chain via the authorization bypass in CVE-2026-47101.
  • CVE-2026-42271 enables callback injection, letting attackers rewrite Claude Code responses in transit with no visible indicator of tampering to the developer.
  • CISA added at least one CVE from this chain to its Known Exploited Vulnerabilities catalog, creating mandatory remediation deadlines for federal agencies.

Why this matters

LiteLLM is the transit layer for every AI provider API call in an enterprise deployment, so a full compromise gives an attacker simultaneous access to all provider keys and the ability to rewrite AI responses in flight with no visible indicator. Obsidian Security, the original researcher, confirmed that a default low-privilege account is sufficient to chain four vulnerabilities to full RCE — no elevated starting position is required. Rescana's analysis verified that CISA added at least one CVE from this chain to its Known Exploited Vulnerabilities catalog, triggering mandatory federal remediation deadlines. CyberSecurityNews documented active exploitation reaching zero-credential RCE by pairing CVE-2026-42271 with a Starlette Host Header bypass, and the partial patch in v1.83.10 that only addressed CVE-2026-47102 created false remediation confidence in organizations that stopped upgrading before v1.83.14-stable.

Summary

Obsidian Security disclosed a three-CVE chain in LiteLLM, the open-source AI gateway for 100+ model providers, that lets any low-privilege user take full admin control and run arbitrary code on the server. CVE-2026-47101 exploits missing validation on a caller-supplied route field to generate wildcard API key access. CVE-2026-47102 enables self-promotion to proxy_admin via the unguarded /user/update endpoint. CVE-2026-40217 turns the Custom Code Guardrail exec() into a reverse shell by silently injecting Python builtins. Essentially: (Obsidian Security, LiteLLM) CVSS 9.9 full takeover from a default account. - Compromise exposes master encryption keys, all configured provider API keys (OpenAI, Anthropic, Gemini, Bedrock, Azure), and every prompt and response in transit. - Attackers can also forge AI model responses using LiteLLM's callback mechanism. - Fix: v1.83.14-stable, released May 2. A shared AI gateway is a single exploit away from total credential and inference compromise.

Potential risks and opportunities

Risks

  • Organizations running LiteLLM in multi-tenant environments where contractors or external users hold low-privilege accounts face theft of all configured provider API keys (OpenAI, Anthropic, Gemini, Bedrock, Azure) until they deploy v1.83.14-stable
  • Any LiteLLM deployment used as an MCP or agent gateway risks OAuth token and tool credential theft, per the article's enumeration of full-compromise exposure
  • Unpatched LiteLLM proxies can be used to forge AI model responses in transit via the callback mechanism, enabling silent inference manipulation for any downstream application

Opportunities

  • AI security vendors with proxy-layer monitoring capabilities (Protect AI, Lakera, Prompt Security) can position LiteLLM-specific detection rules as an urgent offering for customers
  • Managed, security-hardened AI gateway services gain a concrete differentiator over self-hosted open-source LiteLLM deployments following a CVSS 9.9 disclosure
  • Security audit firms and penetration testing practices gain a documented entry point for AI infrastructure engagements, with routing-layer security now a named and publicly exploited attack surface

What we don't know yet

  • Whether any production LiteLLM deployments were actively exploited before Obsidian Security's disclosure and before the May 2 patch release
  • Which specific LiteLLM versions going back to which release are affected by all three CVEs in the chain
  • Whether the callback mechanism forgery capability requires the full three-CVE escalation chain or is independently exploitable by other means

What others are reporting

Coverage cluster as of 24h after publish

  1. Obsidian Security Read →

    First-party researcher writeup with full exploit chain mechanics — the authoritative technical source for the authorization bypass, privilege escalation, and RCE steps.

    A default low-privilege user can gain administrator access and execute arbitrary code on the LiteLLM server.
  2. Cyber Security News Read →

    Documents zero-credential RCE achieved by pairing CVE-2026-42271 with a Starlette Host Header bypass, and provides specific indicators of compromise for defenders.

    Threat actors are actively exploiting a critical chained vulnerability in LiteLLM, a popular open-source AI gateway proxy, allowing unauthenticated remote code execution.
  3. Rescana Read →

    Expands the chain to four CVEs, confirms CISA KEV catalog inclusion, and adds context on the v1.82.7/v1.82.8 PyPI backdoor as a related supply chain vector.

    A critical vulnerability chain has been identified in LiteLLM enabling low-privilege users to escalate privileges and ultimately seize full control of AI gateway servers.
  4. adyog Pulse Read →

    Frames the attack squarely around the developer trust problem: code received from Claude Code can be attacker-authored, with no UI signal to distinguish it from legitimate output.

    A low-privilege viewer account can escalate to full system compromise through four linked exploits.