Skip to main content
TechnologyJun 16, 2026· 2 min read

LiteLLM, three critical vulnerabilities: the vulnerability chain exposes API keys from OpenAI, Anthropic, and Azure

LiteLLM, an open-source gateway proxy for LLM models, is affected by a chain of three critical vulnerabilities that allow an account with ordinary permissions to escalate to full administrator access and execute arbitrary code on the server. Obsidian Security has discovered and disclosed the technical details of the chain, with a severity rating assessed at CVSS 9.9.

Three sequential CVEs: how the escalation is built

CVE-2026-47101 is an authorization bypass vulnerability. A regular user generates a virtual API key: LiteLLM stores the allowed_routes field without validating it against the actual role of the account. An account without admin privileges can thus create a key with wildcard access to all routes, including those reserved for the administrator.

CVE-2026-47102 is a classic privilege escalation vulnerability: the /user/update endpoint does not apply restrictions on the fields modifiable by the user on their own record. A self-update call with user_role: "proxy_admin" is accepted and saved, promoting the caller to full proxy admin. VulnCheck, which assigned the CVE, rates this vulnerability as 8.7 (CVSS 4.0) and 8.8 (CVSS 3.1).

CVE-2026-40217 completes the chain with a sandbox escape in the Custom Code Guardrail. The Python code provided by the administrator is compiled and executed via exec() without being filtered at source level. When exec() receives a globals dictionary devoid of __builtins__, Python silently injects the complete builtins module, providing the code with __import__, open, and eval.

The complete chain exposes the master key, the salt key that decrypts stored credentials, and the database URL. All configured provider keys become accessible: OpenAI, Anthropic, Gemini, Bedrock, Azure, and everything else.

The demo against Claude Code: one word, one shell

Obsidian demonstrated the attack against Claude Code routed through a compromised LiteLLM proxy. The mechanism is not a prompt injection: the attacker uses LiteLLM's built-in callback system, a point of extension that activates on every request and does not appear in the administration interface. In the demo, the developer types a single word and the attacker gains a reverse shell on the victim's machine.

The context of these months is not reassuring. In March 2026, a supply-chain compromise affected two LiteLLM releases on PyPI. In April, a critical SQL injection was exploited within 36 hours of disclosure. A fourth issue, CVE-2026-42271, concerns the stdio-MCP machinery: it allowed callers to start subprocesses through LiteLLM's MCP preview endpoints; it was exploited in the wild and entered the CISA's KEV catalog this month.

BerriAI, the maintainer, has included the full set of fixes in v1.83.14-stable, released on May 2, 2026. The recommendation is to upgrade to this version or later, verify every account with the proxy_admin role treating it as host-level access, review the Custom Code Guardrails, and rotate provider keys and database credentials if exposure is suspected.

Is Server RAM Too Expensive? AMD Acquires Startup That Solves the Problem with AIMeta Brings Artificial Intelligence to the Center of Facebook with New AI Mode