cbcvebase.
CVE-2026-47101
published 2026-05-21

CVE-2026-47101: LiteLLM prior to 1.83.14 allows an authenticated internal_user to create API keys with access to routes that their role does not permit. When generating a key…

PriorityP261high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
0.74%
49.9th percentile
LiteLLM prior to 1.83.14 allows an authenticated internal_user to create API keys with access to routes that their role does not permit. When generating a key, the allowed_routes field is stored without verifying that the specified routes fall within the user's own permissions. A key created with access to admin-only routes can then be used to reach those routes successfully, bypassing the role-based access controls that would otherwise block the request, enabling full privilege escalation from internal_user to proxy_admin.

Affected

6 ranges
VendorProductVersion rangeFixed in
berriailitellm< 1.83.141.83.14
exploit-intelligence-tech-previewvulnerability-analysis-rhel9
litellmlitellm< 1.83.141.83.14
litellmlitellm>= 0 < 1.83.141.83.14
rhoaiodh-llama-stack-core-rhel9
rhoaiodh-mlflow-rhel9

Detection & IOCsextracted from sources · hover to see the quote

otherallowed_routes: ["/*"]
otheruser_role: "proxy_admin"
url/user/update
  • Monitor API key creation requests (key-generation endpoints) where the allowed_routes field contains wildcard values such as '/*' or admin-only route paths, submitted by non-admin (internal_user) accounts.
  • Alert on POST/PATCH requests to the /user/update endpoint that include the field user_role set to proxy_admin, especially from accounts with the internal_user role.
  • Audit existing API keys for allowed_routes grants that exceed the creating user's role; flag and rotate any keys where unauthorized admin-route access is found.
  • Inspect litellm_settings.callbacks in config.yaml for unexpected or unknown callback entries, as post-exploitation persistence may be hidden there since callbacks never appear in the admin console UI.
  • Detect access to admin-only routes by API keys whose creating user holds the internal_user role, which would indicate successful exploitation of the authorization bypass.
  • ·The vulnerability only affects deployments that expose the LiteLLM proxy management API to untrusted (non-admin) users; products using litellm solely as a client library have reduced exposure.
  • ·The same insufficient allowed_routes validation flaw exists across multiple key-management endpoints, not just the primary key-generation endpoint, which is why the fix required three separate pull requests.
  • ·Reaching proxy_admin on LiteLLM is effectively equivalent to host-level code execution, because the admin role has intentional access to stdio MCP server registration that spawns local subprocesses.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv4.08.7HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vendor_redhat8.8HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.