Ethical Hacking News
LiteLLM, an open-source AI gateway, has been found vulnerable to a chain of three vulnerabilities that can be chained together to grant low-privilege users full admin access. Researchers have demonstrated this vulnerability against Claude Code routed through a compromised proxy, highlighting the risks associated with it.
The LiteLLM vulnerability chain exposes low-privilege users to full admin access on AI gateway servers. CVE-2026-47101 allows regular users to bypass authorization verification, CVE-2026-47102 enables privilege escalation to edit own record without restriction. CVE-2026-40217 allows sandbox escape and remote code execution through admin-supplied Python code. The vulnerability chain has severe implications, exposing sensitive information and allowing attackers to forge responses. Mitigation steps include upgrading to version 1.83.14-stable or later, auditing systems, and verifying code integrity.
The world of cybersecurity has recently witnessed a significant breach in the LiteLLM vulnerability chain, exposing low-privilege users to full admin access on AI gateway servers. This is a critical exposure that has garnered attention from security experts and researchers alike. In this article, we will delve into the details of the vulnerability chain, its implications, and what steps can be taken to mitigate it.
The LiteLLM vulnerability chain is a series of three vulnerabilities, each one more severe than the last, which can be chained together to grant low-privilege users full admin access on the AI gateway server. The first link in this chain is CVE-2026-47101, an authorization bypass that allows regular users (internal_users) to generate virtual API keys without proper verification. This bypasses the intended security measures, allowing non-admin users to mint keys with broad permissions.
The second link in the chain is CVE-2026-47102, a privilege escalation vulnerability that enables a user to edit their own record without restriction on which fields they can write. This allows a user to update their role to full proxy admin, effectively granting them admin access.
The third and final link in the chain is CVE-2026-40217, a sandbox escape vulnerability that compiles and runs admin-supplied Python code without source-level filtering. This allows an attacker to inject malicious code into the server, resulting in remote code execution.
The implications of this vulnerability chain are severe. A compromised proxy can expose sensitive information such as provider keys, database credentials, and every prompt and response passing through it. Moreover, a compromised proxy can forge responses that the agent acts on, making it a sharp risk for attackers. The vulnerability chain also highlights misplaced trust at every layer, from the route gate to the handlers, which has allowed an attacker to reach admin access.
Researchers have demonstrated this against Claude Code routed through a compromised proxy, showing how an attacker can use LiteLLM's built-in callback mechanism to alter responses in transit and even pop a reverse shell on the developer's machine. Furthermore, a separate vulnerability, CVE-2026-42271, allows callers to spawn subprocesses through LiteLLM's MCP preview endpoints, which was exploited in the wild.
To mitigate this vulnerability chain, users are advised to upgrade to version 1.83.14-stable or later, which includes the full fix set. They should also audit their systems, verify every account holding proxy_admin and treat that role as host-level access, review every Custom Code Guardrail on the proxy, check the callbacks loaded from config.yaml under litellm_settings.callbacks, and verify the integrity of the deployed code.
In conclusion, the LiteLLM vulnerability chain is a critical exposure that highlights the importance of proper security measures. It serves as a reminder to researchers and developers to thoroughly test their systems and implement robust security protocols to prevent such breaches in the future.
Related Information:
https://www.ethicalhackingnews.com/articles/LiteLLM-Vulnerability-Chain-A-Critical-Exposure-of-Low-Privilege-Users-to-Full-Admin-Access-ehn.shtml
https://thehackernews.com/2026/06/litellm-vulnerability-chain-lets-low.html
https://nvd.nist.gov/vuln/detail/CVE-2026-47101
https://www.cvedetails.com/cve/CVE-2026-47101/
https://nvd.nist.gov/vuln/detail/CVE-2026-47102
https://www.cvedetails.com/cve/CVE-2026-47102/
https://nvd.nist.gov/vuln/detail/CVE-2026-40217
https://www.cvedetails.com/cve/CVE-2026-40217/
https://nvd.nist.gov/vuln/detail/CVE-2026-42271
https://www.cvedetails.com/cve/CVE-2026-42271/
Published: Thu Jun 18 00:31:55 2026 by llama3.2 3B Q4_K_M
