CVE-2026-40217
published 2026-04-10CVE-2026-40217: LiteLLM through 2026-04-08 allows remote attackers to execute arbitrary code via bytecode rewriting at the /guardrails/test_custom_code URI.
PriorityP260high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
1.06%
60.3th percentile
LiteLLM through 2026-04-08 allows remote attackers to execute arbitrary code via bytecode rewriting at the /guardrails/test_custom_code URI.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| berriai | litellm | — | — |
| litellm | litellm | <= 2026-04-08 | — |
| litellm | litellm | >= 1.81.8 < 1.83.10 | 1.83.10 |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor HTTP requests targeting the /guardrails/test_custom_code endpoint — this is the specific attack surface for CVE-2026-40217 bytecode rewriting RCE. ↗
- →Detect exploitation attempts that bypass regex deny-lists via runtime bytecode rewriting submitted to the Custom Code Guardrail playground endpoint. ↗
- →Alert on any process spawned by the LiteLLM proxy that invokes os.system or establishes outbound shell connections — indicative of the reverse shell payload demonstrated in the PoC. ↗
- →Audit litellm_settings.callbacks entries in config.yaml for unexpected or unknown callback handlers — post-RCE persistence mechanism that does not appear in the admin UI. ↗
- →Detect self-update requests to /user/update containing the field user_role set to proxy_admin, which is the privilege escalation step (CVE-2026-47102) used to chain into CVE-2026-40217. ↗
- →Flag API key creation requests where allowed_routes contains a wildcard ["/*"], indicating abuse of CVE-2026-47101 to bypass route authorization as a precursor to reaching the vulnerable guardrails endpoint. ↗
- ·CVE-2026-40217 is most dangerous when chained with CVE-2026-47101 (route bypass) and CVE-2026-47102 (privilege escalation to proxy_admin); a low-privilege internal_user account is sufficient to initiate the full chain. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vendor_redhat8.8HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
LiteLLM has a sandbox escape in custom-code guardrail
ghsa·2026-05-11
CVE-2026-40217 [HIGH] CWE-420 LiteLLM has a sandbox escape in custom-code guardrail
LiteLLM has a sandbox escape in custom-code guardrail
### Impact
The `POST /guardrails/test_custom_code` endpoint runs user-supplied Python inside a hand-rolled sandbox. The sandbox can be escaped using bytecode-level techniques, allowing arbitrary code execution in the proxy process — which runs as root in the default Docker image.
**Reaching the endpoint requires a proxy-admin credential** in default configurations.
### Patches
Fixed in **`1.83.11`**. The hand-rolled sandbox has been replaced with `RestrictedPython`. Upgrade to `1.83.11` or later.
### Workarounds
If upgrading is not immediately possible, block `POST /guardrails/test_custom_code` at your reverse proxy or API gateway.
### References
- Patched release: [`v1.83.10-stable`](https://github.com/BerriAI/litellm/releases
GHSA
GHSA-3926-2jvf-fg29: LiteLLM through 2026-04-08 allows remote attackers to execute arbitrary code via bytecode rewriting at the /guardrails/test_custom_code URI
ghsa_unreviewed·2026-04-10
CVE-2026-40217 [HIGH] CWE-420 GHSA-3926-2jvf-fg29: LiteLLM through 2026-04-08 allows remote attackers to execute arbitrary code via bytecode rewriting at the /guardrails/test_custom_code URI
LiteLLM through 2026-04-08 allows remote attackers to execute arbitrary code via bytecode rewriting at the /guardrails/test_custom_code URI.
Red Hat
LiteLLM: LiteLLM: Arbitrary Code Execution via bytecode rewriting
vendor_redhat·2026-04-10·CVSS 8.8
CVE-2026-40217 [HIGH] CWE-94 LiteLLM: LiteLLM: Arbitrary Code Execution via bytecode rewriting
LiteLLM: LiteLLM: Arbitrary Code Execution via bytecode rewriting
A flaw was found in LiteLLM. A remote attacker can exploit this flaw by performing bytecode rewriting at the `/guardrails/test_custom_code` URI. This could lead to arbitrary code execution, allowing the attacker to run malicious code on the affected system.
Mitigation: Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Package: redhat-user-workloads/lightspeed-stack (Lightspeed Core) - Affected
Package: redhat-user-workloads/lightspeed-chatbot-rhel9 (Red Hat Ansible Automation Platform 2) - Affected
Package: redhat-user-workloads/llama-stac
No detection rules found.
No public exploits indexed.
Hackernews
⚡ Weekly Recap: Browser Bugs, EDR Killers, TV Botnet, OpenBSD Flaw, Android Trojan, and More
blogs_hackernews·2026-06-22·CVSS 9.8
CVE-2026-24858 [CRITICAL] ⚡ Weekly Recap: Browser Bugs, EDR Killers, TV Botnet, OpenBSD Flaw, Android Trojan, and More
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## ⚡ Weekly Recap: Browser Bugs, EDR Killers, TV Botnet, OpenBSD Flaw, Android Trojan, and More
It’s Monday again.
This week’s threat list looks painfully familiar: abused integrations, fake tools, poisoned websites, ransomware crews trying to shut down security tools, and mobile malware asking for way too much control.
The annoying part is how little of this feels new. Weak credentials, sketchy downloads, browser extensions with too much access, and WordPress sites are used to push more attacks. Nothing clever. Just sloppy, cheap, and effective.
Here’s the Monday recap. Let’s get into the week’s mess.
## ⚡ Threat of the We
Hackernews
LiteLLM Vulnerability Chain Lets Low-Privilege Users Take Over AI Gateway Servers
blogs_hackernews·2026-06-15·CVSS 8.8
CVE-2026-47101 [HIGH] LiteLLM Vulnerability Chain Lets Low-Privilege Users Take Over AI Gateway Servers
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## LiteLLM Vulnerability Chain Lets Low-Privilege Users Take Over AI Gateway Servers
A default low-privilege account on a LiteLLM proxy can climb to full admin and run code on the server by chaining three vulnerabilities, researchers at Obsidian Security disclosed
LiteLLM is a widely deployed open-source AI gateway that brokers calls to more than 100 model providers behind one OpenAI-compatible interface.
A server takeover exposes every provider key it holds, the secrets that decrypt its stored credentials, and every prompt and response passing through it.
Obsidian rates the full chain CVSS 9.9, in the Critical range. BerriAI
Bugzilla
CVE-2026-40217 LiteLLM: LiteLLM: Arbitrary Code Execution via bytecode rewriting
bugzilla·2026-04-10·CVSS 8.8
CVE-2026-40217 [HIGH] CVE-2026-40217 LiteLLM: LiteLLM: Arbitrary Code Execution via bytecode rewriting
CVE-2026-40217 LiteLLM: LiteLLM: Arbitrary Code Execution via bytecode rewriting
LiteLLM through 2026-04-08 allows remote attackers to execute arbitrary code via bytecode rewriting at the /guardrails/test_custom_code URI.
https://www.x41-dsec.de/lab/advisories/x41-2026-001-litellm/https://access.redhat.com/errata/RHSA-2026:24866https://access.redhat.com/errata/RHSA-2026:30056https://access.redhat.com/security/cve/CVE-2026-40217https://bugzilla.redhat.com/show_bug.cgi?id=2457301https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-40217.json
2026-04-10
Published