Executive Summary
A critical vulnerability chain has been identified in LiteLLM, a widely adopted open-source AI gateway and proxy solution. This chain enables low-privilege users to escalate their privileges and ultimately seize full control of AI gateway servers. The vulnerabilities, disclosed by Obsidian Security and tracked under several CVEs, allow attackers to bypass authorization, escalate privileges to admin, execute arbitrary code, and exfiltrate sensitive AI credentials and data. The chain is rated as CVSS 9.9 (Critical) and affects all LiteLLM versions prior to v1.83.14-stable. Immediate action is required to mitigate the risk of compromise, as exploitation in the wild has already been observed.
Technical Information
The vulnerability chain in LiteLLM is composed of several interlinked flaws that, when exploited sequentially, allow a low-privilege user to achieve remote code execution (RCE) and full administrative control over the AI gateway. The affected product is LiteLLM, an open-source AI gateway/proxy that facilitates secure and scalable access to large language models (LLMs) from multiple providers.
The vulnerabilities are as follows:
The first vulnerability, CVE-2026-47101 (Authorization Bypass), arises from improper validation of the allowed_routes field when a regular user generates a virtual API key. LiteLLM fails to enforce role-based restrictions, allowing a non-admin user to create a key with allowed_routes: ["/*"], which grants access to all API routes, including those reserved for administrators. This flaw enables lateral movement and sets the stage for further privilege escalation.
The second vulnerability, CVE-2026-47102 (Privilege Escalation), is present in the /user/update endpoint. This endpoint allows users to modify their own records without restricting which fields can be altered. An attacker can exploit this by setting their user_role to "proxy_admin", thereby elevating their privileges to full administrative access. This vulnerability is rated CVSS 8.7 (CVSS 4.0) and 8.8 (CVSS 3.1), reflecting its high impact and ease of exploitation.
The third vulnerability, CVE-2026-40217 (Sandbox Escape / Remote Code Execution), is found in the Custom Code Guardrail feature. This feature compiles and executes admin-supplied Python code using the exec() function. If exec() is invoked with a globals dictionary that lacks the __builtins__ key, Python automatically injects the full builtins module, exposing dangerous functions such as __import__, open, and eval. An attacker with admin privileges can leverage this to execute arbitrary code on the server, including spawning reverse shells or deploying persistent malware.
An additional vulnerability, CVE-2026-42271 (MCP Preview Endpoint RCE), allows attackers to spawn subprocesses via the MCP preview endpoints. This vulnerability has been actively exploited in the wild and is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.
The attack chain typically unfolds as follows: a low-privilege user exploits CVE-2026-47101 to gain access to admin endpoints, uses CVE-2026-47102 to escalate privileges to admin, and then leverages CVE-2026-40217 or CVE-2026-42271 to achieve remote code execution.
The impact of this chain is severe. Attackers can exfiltrate all provider keys (including OpenAI, Anthropic, Gemini, Bedrock, Azure, and others), the master key, salt key, and database URL. All prompts and responses, including those containing personally identifiable information (PII), source code, internal tickets, and secrets, are exposed. Attackers can manipulate AI agent responses in transit, potentially leading to downstream compromise. Persistence can be achieved by hiding malicious callbacks in the config.yaml file under litellm_settings.callbacks, which are not visible in the admin UI.
Indicators of compromise include unauthorized accounts with the proxy_admin role, suspicious entries in litellm_settings.callbacks, outbound connections from the LiteLLM server (indicative of reverse shells), unrecognized subprocesses spawned by the LiteLLM process, and access logs showing use of wildcard allowed_routes or unexpected access to admin endpoints.
The vulnerabilities map to several MITRE ATT&CK techniques, including T1078 (Valid Accounts) for privilege escalation, T1059 (Command and Scripting Interpreter) for remote code execution, T1566 (Phishing) for potential response manipulation, and T1210 (Exploitation of Remote Services) for abuse of exposed endpoints.
Exploitation in the Wild
CVE-2026-42271 has been confirmed as exploited in the wild, with active attacks reported and its inclusion in CISA's Known Exploited Vulnerabilities (KEV) catalog. Proof-of-concept (PoC) exploits for the full privilege escalation chain (CVE-2026-47101 → CVE-2026-47102 → CVE-2026-40217) have been published by Obsidian Security and X41 D-Sec, demonstrating the feasibility of chaining these vulnerabilities for complete server takeover. While widespread exploitation of the full chain has not yet been confirmed, the availability of PoCs and the attractiveness of the attack surface make it likely that threat actors will adopt these techniques rapidly.
In addition to direct exploitation, a significant supply chain attack occurred in March 2026, when LiteLLM PyPI releases 1.82.7 and 1.82.8 were backdoored. Users who installed these versions were exposed to additional risks, including the possibility of pre-installed malware or credential theft. This incident underscores the importance of verifying the integrity of open-source dependencies and monitoring for anomalous behavior following upgrades.
APT Groups using this vulnerability
While no specific advanced persistent threat (APT) group has been definitively attributed to the exploitation of the LiteLLM privilege escalation chain, the attack surface is highly attractive to both criminal and state-sponsored actors. The group TeamPCP has been linked to previous supply chain attacks on LiteLLM and other security tools, as documented by Trend Micro. Given the criticality of the vulnerabilities and the sensitive data processed by AI gateways, it is likely that both financially motivated cybercriminals and nation-state actors are actively investigating or exploiting these flaws.
Affected Product Versions
The affected product is LiteLLM, an open-source AI gateway/proxy. All versions from v1.74.2 up to (but not including) v1.83.14-stable are vulnerable to the full privilege escalation and remote code execution chain. Notably, v1.82.7 and v1.82.8 were backdoored on PyPI, compounding the risk for users of those releases. The vulnerabilities are fully remediated in v1.83.14-stable and later versions. Organizations running any version prior to v1.83.14-stable are strongly advised to upgrade immediately.
Workaround and Mitigation
The primary mitigation is to upgrade LiteLLM to v1.83.14-stable or later, as these versions contain patches for all known vulnerabilities in the chain. Organizations should audit all accounts with proxy_admin privileges and review all Custom Code Guardrails for unauthorized or suspicious code. It is essential to check for hidden callbacks in the config.yaml file under litellm_settings.callbacks, as attackers may use this vector for persistence. If compromise is suspected, all provider keys, database credentials, and MCP tokens should be rotated immediately. Continuous monitoring for indicators of compromise, such as unauthorized admin accounts, suspicious callbacks, outbound connections, and anomalous subprocesses, is recommended. Reviewing server logs for evidence of wildcard allowed_routes or unexpected access to admin endpoints can help detect ongoing or past exploitation.
References
The following resources provide additional technical details and context:
The Hacker News: LiteLLM Vulnerability Chain Lets Low-Privilege Users Take Over AI Gateway Servers
Obsidian Security: From Low-Privilege User to Admin and RCE
Cloud Security Alliance: LiteLLM AI Gateway Exploitation PDF
Trend Micro: Inside the LiteLLM Supply Chain Compromise
Cycode: LiteLLM Supply Chain Attack
OpenCVE: LiteLLM CVEs
Reddit: SecOpsDaily Discussion
LinkedIn: NetManageIT Post
GitHub Advisory: GHSA-qrc4-49gv-mv9m
CVE.org: CVE-2026-42271
Additional resources include the LiteLLM GitHub Releases and the CISA KEV Catalog.
Rescana is here for you
At Rescana, we understand the critical importance of securing your AI infrastructure and supply chain. Our Third-Party Risk Management (TPRM) platform empowers organizations to continuously monitor, assess, and mitigate risks across their entire digital ecosystem. We are committed to helping you stay ahead of emerging threats and ensuring the resilience of your operations. If you have any questions about this advisory or require assistance with incident response, please contact us at ops@rescana.com. Our team is ready to support you.
