A newly disclosed set of security flaws in the widely used open-source AI gateway LiteLLM could allow a low-privileged user to escalate access to full administrative control and ultimately achieve remote code execution on affected servers, according to cybersecurity researchers at Obsidian Security.
LiteLLM is commonly deployed as an AI gateway that unifies access to more than 100 large language model providers through a single OpenAI-compatible interface. Because it sits between applications and model providers, a compromise of the system can expose sensitive credentials, prompts, and enterprise data.
Security experts rate the combined exploit chain as CVSS 9.9 (critical), highlighting the severity of the issue. The vendor, BerriAI, has addressed the vulnerabilities in LiteLLM v1.83.14-stable and later, released in early May, urging immediate upgrades.
Three Vulnerabilities Form a Full Attack Chain
The security breakdown involves three interconnected vulnerabilities that, when chained together, allow attackers to fully compromise a LiteLLM deployment.
1. Authorization Bypass (CVE-2026-47101)
The first flaw stems from improper validation in LiteLLM’s API key creation system. Low-privileged users can manipulate the allowed_routes parameter when generating virtual API keys.
Instead of enforcing role-based restrictions, the system accepts attacker-defined route permissions, including wildcard values that grant access to all endpoints. This effectively allows non-admin users to interact with restricted administrative functions.
2. Privilege Escalation (CVE-2026-47102)
Once access controls are bypassed, attackers can exploit a vulnerable user update endpoint that fails to restrict which profile fields can be modified.
By altering their own account data, an attacker can assign themselves administrative privileges (e.g., changing role values to “proxy_admin”). This results in a full escalation from standard user to system administrator.
Independent assessments have assigned this flaw high severity ratings under multiple CVSS scoring models, reflecting its direct impact on system integrity.
3. Remote Code Execution via Guardrails (CVE-2026-40217)
The final vulnerability lies in LiteLLM’s “Custom Code Guardrail” feature, which is designed to execute Python-based security logic.
Researchers found that the system uses Python’s exec() function without proper safeguards. In certain configurations, this allows attackers to inject and execute arbitrary system commands.
Additional testing revealed that even sandboxing attempts could be bypassed using Python runtime behavior, enabling attackers to spawn reverse shells and execute system-level commands on the host.
A separate attack path affecting testing endpoints was also identified by external researchers, further confirming the risk of code execution through multiple routes.
High-Impact Consequences for Enterprises
A successful exploitation of LiteLLM can have severe consequences due to its central role in AI infrastructure.
Attackers could gain access to:
- API keys for major AI providers such as OpenAI, Anthropic, and Google Gemini
- Encryption keys used to protect stored credentials
- Database connection strings and configuration secrets
- Full logs of prompts and AI responses, often containing sensitive enterprise data
- OAuth tokens and tool credentials in agent-based deployments
Because LiteLLM operates as a gateway, attackers can also intercept and manipulate model responses in real time, potentially altering AI-driven workflows and automated decisions.
In advanced attack scenarios, compromised systems may even allow adversaries to modify responses sent to AI agents, effectively influencing downstream actions without detection.
Security Risks Extend Beyond Data Theft
Researchers also demonstrated that attackers could leverage LiteLLM’s callback mechanisms—components that process AI requests and responses—to silently modify outputs.
This technique allows attackers to inject malicious instructions or forged tool responses without triggering typical security alerts. In proof-of-concept demonstrations, simple user interactions were escalated into full system compromise, including remote shell access on developer machines.
Additionally, LiteLLM’s Model Context Protocol (MCP) integration can intentionally spawn local subprocesses for legitimate use cases. However, if an attacker gains administrative access, this capability effectively becomes a built-in code execution pathway.
Patch Status and Security Recommendations
The vulnerabilities have been addressed in LiteLLM version 1.83.14-stable and later. Organizations using earlier versions are strongly urged to upgrade immediately.
Security experts recommend the following mitigation steps:
- Upgrade all LiteLLM deployments to the latest patched version
- Audit all accounts with administrative privileges
- Review and restrict Custom Code Guardrail configurations
- Inspect callback configurations that may not appear in the standard admin interface
- Rotate all API keys, database credentials, and MCP-related tokens if exposure is suspected
- Verify the integrity of deployed configurations and runtime environments
Broader Security Concerns in AI Infrastructure
This incident adds to a growing list of security challenges affecting AI middleware platforms. LiteLLM has previously faced supply chain compromises and injection vulnerabilities, underscoring the risks associated with central AI routing systems.
Security analysts warn that because AI gateways sit directly between applications and model providers, they represent high-value targets. A single compromise can expose entire enterprise AI ecosystems.
