cbcvebase.
CVE-2026-35029
published 2026-04-06

CVE-2026-35029: LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. Prior to 1.83.0, the /config/update endpoint does not enforce admin role…

PriorityP278high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
26.41%
97.8th percentile
LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. Prior to 1.83.0, the /config/update endpoint does not enforce admin role authorization. A user who is already authenticated into the platform can then use this endpoint to modify proxy configuration and environment variables, register custom pass-through endpoint handlers pointing to attacker-controlled Python code, achieving remote code execution, read arbitrary server files by setting UI_LOGO_PATH and fetching via /get_image, and take over other privileged accounts by overwriting UI_USERNAME and UI_PASSWORD environment variables. Fixed in v1.83.0.

Affected

3 ranges
VendorProductVersion rangeFixed in
berriailitellm< 1.83.01.83.0
litellmlitellm< 1.83.01.83.0
litellmlitellm>= 0 < 1.83.01.83.0

Detection & IOCsextracted from sources · hover to see the quote

url/config/update
url/get_image
commandPOST /config/update HTTP/1.1
path/etc/passwd
regexEXFIL:root:.*:0:0:
yara
id: CVE-2026-35029 — Nuclei template: matchers on interactsh_protocol=http AND regex EXFIL:root:.*:0:0: in base64-decoded Basic auth header
  • Monitor for POST requests to /config/update from non-admin authenticated users; any such request is anomalous and indicative of CVE-2026-35029 exploitation.
  • Detect pass-through endpoint registration in /config/update payloads containing 'pass_through_endpoints' with external 'target' URLs — this is the RCE vector.
  • Alert on /config/update payloads that set UI_LOGO_PATH environment variable, followed by a GET to /get_image — this is the arbitrary file read chain.
  • Alert on /config/update payloads that set UI_USERNAME or UI_PASSWORD environment variables — this is the account takeover vector.
  • In the exploit PoC, the attacker registers a pass-through endpoint that exfiltrates LITELLM_MASTER_KEY and DATABASE_URL via outbound HTTP to an attacker-controlled host; monitor for outbound HTTP from LiteLLM containing these header names.
  • The exploit uses os.environ/oidc/env_path/<file> syntax in pass-through endpoint header values to read arbitrary files; detect this pattern in /config/update request bodies.
  • Nuclei template verified: look for interactsh/OOB HTTP callbacks carrying a Basic Authorization header whose base64-decoded value matches EXFIL:root:.*:0:0: as a sign of successful /etc/passwd exfiltration.
  • ·The vulnerability requires the attacker to already be authenticated; unauthenticated exploitation is not possible for CVE-2026-35029.
  • ·Red Hat Ansible Automation Platform, Lightspeed Core, and Red Hat OpenShift AI are confirmed affected downstream products.
  • ·As a temporary mitigation, restrict network access to the LiteLLM service port to trusted hosts only to reduce exposure of the /config/update endpoint.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv4.08.7HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vendor_redhat8.7HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.