LiteLLM Three-CVE Chain Enables Full Server Takeover
Key insights
- A default viewer account with no elevated permissions is sufficient to start the chain via the authorization bypass in CVE-2026-47101.
- CVE-2026-42271 enables callback injection, letting attackers rewrite Claude Code responses in transit with no visible indicator of tampering to the developer.
- CISA added at least one CVE from this chain to its Known Exploited Vulnerabilities catalog, creating mandatory remediation deadlines for federal agencies.
Why this matters
Summary
Potential risks and opportunities
Risks
- Organizations running LiteLLM in multi-tenant environments where contractors or external users hold low-privilege accounts face theft of all configured provider API keys (OpenAI, Anthropic, Gemini, Bedrock, Azure) until they deploy v1.83.14-stable
- Any LiteLLM deployment used as an MCP or agent gateway risks OAuth token and tool credential theft, per the article's enumeration of full-compromise exposure
- Unpatched LiteLLM proxies can be used to forge AI model responses in transit via the callback mechanism, enabling silent inference manipulation for any downstream application
Opportunities
- AI security vendors with proxy-layer monitoring capabilities (Protect AI, Lakera, Prompt Security) can position LiteLLM-specific detection rules as an urgent offering for customers
- Managed, security-hardened AI gateway services gain a concrete differentiator over self-hosted open-source LiteLLM deployments following a CVSS 9.9 disclosure
- Security audit firms and penetration testing practices gain a documented entry point for AI infrastructure engagements, with routing-layer security now a named and publicly exploited attack surface
What we don't know yet
- Whether any production LiteLLM deployments were actively exploited before Obsidian Security's disclosure and before the May 2 patch release
- Which specific LiteLLM versions going back to which release are affected by all three CVEs in the chain
- Whether the callback mechanism forgery capability requires the full three-CVE escalation chain or is independently exploitable by other means
What others are reporting
-
Obsidian Security Read →
First-party researcher writeup with full exploit chain mechanics — the authoritative technical source for the authorization bypass, privilege escalation, and RCE steps.
A default low-privilege user can gain administrator access and execute arbitrary code on the LiteLLM server.
-
Cyber Security News Read →
Documents zero-credential RCE achieved by pairing CVE-2026-42271 with a Starlette Host Header bypass, and provides specific indicators of compromise for defenders.
Threat actors are actively exploiting a critical chained vulnerability in LiteLLM, a popular open-source AI gateway proxy, allowing unauthenticated remote code execution.
-
Rescana Read →
Expands the chain to four CVEs, confirms CISA KEV catalog inclusion, and adds context on the v1.82.7/v1.82.8 PyPI backdoor as a related supply chain vector.
A critical vulnerability chain has been identified in LiteLLM enabling low-privilege users to escalate privileges and ultimately seize full control of AI gateway servers.
-
adyog Pulse Read →
Frames the attack squarely around the developer trust problem: code received from Claude Code can be attacker-authored, with no UI signal to distinguish it from legitimate output.
A low-privilege viewer account can escalate to full system compromise through four linked exploits.
Originally reported by thehackernews.com
Read the original article →Original headline: LiteLLM Three-CVE Chain (CVSS 9.9): Any Low-Privilege User Can Take Over AI Gateway Server and Execute Arbitrary Code