cbcvebase.
CVE-2026-40217
published 2026-04-10

CVE-2026-40217: LiteLLM through 2026-04-08 allows remote attackers to execute arbitrary code via bytecode rewriting at the /guardrails/test_custom_code URI.

PriorityP260high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
1.06%
60.3th percentile
LiteLLM through 2026-04-08 allows remote attackers to execute arbitrary code via bytecode rewriting at the /guardrails/test_custom_code URI.

Affected

3 ranges
VendorProductVersion rangeFixed in
berriailitellm
litellmlitellm<= 2026-04-08
litellmlitellm>= 1.81.8 < 1.83.101.83.10

Detection & IOCsextracted from sources · hover to see the quote

url/guardrails/test_custom_code
path/guardrails/test_custom_code
  • Monitor HTTP requests targeting the /guardrails/test_custom_code endpoint — this is the specific attack surface for CVE-2026-40217 bytecode rewriting RCE.
  • Detect exploitation attempts that bypass regex deny-lists via runtime bytecode rewriting submitted to the Custom Code Guardrail playground endpoint.
  • Alert on any process spawned by the LiteLLM proxy that invokes os.system or establishes outbound shell connections — indicative of the reverse shell payload demonstrated in the PoC.
  • Audit litellm_settings.callbacks entries in config.yaml for unexpected or unknown callback handlers — post-RCE persistence mechanism that does not appear in the admin UI.
  • Detect self-update requests to /user/update containing the field user_role set to proxy_admin, which is the privilege escalation step (CVE-2026-47102) used to chain into CVE-2026-40217.
  • Flag API key creation requests where allowed_routes contains a wildcard ["/*"], indicating abuse of CVE-2026-47101 to bypass route authorization as a precursor to reaching the vulnerable guardrails endpoint.
  • ·CVE-2026-40217 is most dangerous when chained with CVE-2026-47101 (route bypass) and CVE-2026-47102 (privilege escalation to proxy_admin); a low-privilege internal_user account is sufficient to initiate the full chain.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vendor_redhat8.8HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.