CVE-2026-47101
published 2026-05-21CVE-2026-47101: LiteLLM prior to 1.83.14 allows an authenticated internal_user to create API keys with access to routes that their role does not permit. When generating a key…
PriorityP261high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
0.74%
49.9th percentile
LiteLLM prior to 1.83.14 allows an authenticated internal_user to create API keys with access to routes that their role does not permit. When generating a key, the allowed_routes field is stored without verifying that the specified routes fall within the user's own permissions. A key created with access to admin-only routes can then be used to reach those routes successfully, bypassing the role-based access controls that would otherwise block the request, enabling full privilege escalation from internal_user to proxy_admin.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| berriai | litellm | < 1.83.14 | 1.83.14 |
| exploit-intelligence-tech-preview | vulnerability-analysis-rhel9 | — | — |
| litellm | litellm | < 1.83.14 | 1.83.14 |
| litellm | litellm | >= 0 < 1.83.14 | 1.83.14 |
| rhoai | odh-llama-stack-core-rhel9 | — | — |
| rhoai | odh-mlflow-rhel9 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor API key creation requests (key-generation endpoints) where the allowed_routes field contains wildcard values such as '/*' or admin-only route paths, submitted by non-admin (internal_user) accounts. ↗
- →Alert on POST/PATCH requests to the /user/update endpoint that include the field user_role set to proxy_admin, especially from accounts with the internal_user role. ↗
- →Audit existing API keys for allowed_routes grants that exceed the creating user's role; flag and rotate any keys where unauthorized admin-route access is found. ↗
- →Inspect litellm_settings.callbacks in config.yaml for unexpected or unknown callback entries, as post-exploitation persistence may be hidden there since callbacks never appear in the admin console UI. ↗
- →Detect access to admin-only routes by API keys whose creating user holds the internal_user role, which would indicate successful exploitation of the authorization bypass. ↗
- ·The vulnerability only affects deployments that expose the LiteLLM proxy management API to untrusted (non-admin) users; products using litellm solely as a client library have reduced exposure. ↗
- ·The same insufficient allowed_routes validation flaw exists across multiple key-management endpoints, not just the primary key-generation endpoint, which is why the fix required three separate pull requests. ↗
- ·Reaching proxy_admin on LiteLLM is effectively equivalent to host-level code execution, because the admin role has intentional access to stdio MCP server registration that spawns local subprocesses. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv4.08.7HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vendor_redhat8.8HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
BerriAI litellm up to 1.83.13 API Key authorization (EUVD-2026-31346 / WID-SEC-2026-1647)
vuldb·2026-05-23·CVSS 8.7
CVE-2026-47101 [HIGH] BerriAI litellm up to 1.83.13 API Key authorization (EUVD-2026-31346 / WID-SEC-2026-1647)
A vulnerability was found in BerriAI litellm up to 1.83.13. It has been classified as critical. This issue affects some unknown processing of the component API Key Handler. This manipulation causes incorrect authorization.
This vulnerability appears as CVE-2026-47101. The attack may be initiated remotely. There is no available exploit.
Upgrading the affected component is recommended.
GHSA
LiteLLM allows an authenticated internal_user to create API keys with access to routes that their role does not permit
ghsa·2026-05-21
CVE-2026-47101 [HIGH] CWE-863 LiteLLM allows an authenticated internal_user to create API keys with access to routes that their role does not permit
LiteLLM allows an authenticated internal_user to create API keys with access to routes that their role does not permit
LiteLLM prior to 1.83.14 allows an authenticated internal_user to create API keys with access to routes that their role does not permit. When generating a key, the allowed_routes field is stored without verifying that the specified routes fall within the user's own permissions. A key created with access to admin-only routes can then be used to reach those routes successfully, bypassing the role-based access controls that would otherwise block the request, enabling full privilege escalation from internal_user to proxy_admin.
GHSA
GHSA-qrc4-49gv-mv9m: LiteLLM prior to 1
ghsa_unreviewed·2026-05-21
CVE-2026-47101 [HIGH] CWE-863 GHSA-qrc4-49gv-mv9m: LiteLLM prior to 1
LiteLLM prior to 1.83.14 allows an authenticated internal_user to create API keys with access to routes that their role does not permit. When generating a key, the allowed_routes field is stored without verifying that the specified routes fall within the user's own permissions. A key created with access to admin-only routes can then be used to reach those routes successfully, bypassing the role-based access controls that would otherwise block the request, enabling full privilege escalation from internal_user to proxy_admin.
Red Hat
litellm: LiteLLM: Privilege escalation via API key generation with insufficient permission validation
vendor_redhat·2026-05-21·CVSS 8.8
CVE-2026-47101 [HIGH] CWE-639 litellm: LiteLLM: Privilege escalation via API key generation with insufficient permission validation
litellm: LiteLLM: Privilege escalation via API key generation with insufficient permission validation
LiteLLM prior to 1.83.14 allows an authenticated internal_user to create API keys with access to routes that their role does not permit. When generating a key, the allowed_routes field is stored without verifying that the specified routes fall within the user's own permissions. A key created with access to admin-only routes can then be used to reach those routes successfully, bypassing the role-based access controls that would otherwise block the request, enabling full privilege escalation from internal_user to proxy_admin.
A flaw was found in LiteLLM. An authenticated internal user can exploit this vulnerability by creating API keys that grant access to routes beyond their assigned role
No detection rules found.
No public exploits indexed.
Hackernews
⚡ Weekly Recap: Browser Bugs, EDR Killers, TV Botnet, OpenBSD Flaw, Android Trojan, and More
blogs_hackernews·2026-06-22·CVSS 9.8
CVE-2026-24858 [CRITICAL] ⚡ Weekly Recap: Browser Bugs, EDR Killers, TV Botnet, OpenBSD Flaw, Android Trojan, and More
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## ⚡ Weekly Recap: Browser Bugs, EDR Killers, TV Botnet, OpenBSD Flaw, Android Trojan, and More
It’s Monday again.
This week’s threat list looks painfully familiar: abused integrations, fake tools, poisoned websites, ransomware crews trying to shut down security tools, and mobile malware asking for way too much control.
The annoying part is how little of this feels new. Weak credentials, sketchy downloads, browser extensions with too much access, and WordPress sites are used to push more attacks. Nothing clever. Just sloppy, cheap, and effective.
Here’s the Monday recap. Let’s get into the week’s mess.
## ⚡ Threat of the We
Hackernews
LiteLLM Vulnerability Chain Lets Low-Privilege Users Take Over AI Gateway Servers
blogs_hackernews·2026-06-15·CVSS 8.8
CVE-2026-47101 [HIGH] LiteLLM Vulnerability Chain Lets Low-Privilege Users Take Over AI Gateway Servers
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## LiteLLM Vulnerability Chain Lets Low-Privilege Users Take Over AI Gateway Servers
A default low-privilege account on a LiteLLM proxy can climb to full admin and run code on the server by chaining three vulnerabilities, researchers at Obsidian Security disclosed
LiteLLM is a widely deployed open-source AI gateway that brokers calls to more than 100 model providers behind one OpenAI-compatible interface.
A server takeover exposes every provider key it holds, the secrets that decrypt its stored credentials, and every prompt and response passing through it.
Obsidian rates the full chain CVSS 9.9, in the Critical range. BerriAI
Bugzilla
CVE-2026-47101 litellm: LiteLLM: Privilege escalation via API key generation with insufficient permission validation
bugzilla·2026-05-21·CVSS 8.8
CVE-2026-47101 [HIGH] CVE-2026-47101 litellm: LiteLLM: Privilege escalation via API key generation with insufficient permission validation
CVE-2026-47101 litellm: LiteLLM: Privilege escalation via API key generation with insufficient permission validation
LiteLLM prior to 1.83.14 allows an authenticated internal_user to create API keys with access to routes that their role does not permit. When generating a key, the allowed_routes field is stored without verifying that the specified routes fall within the user's own permissions. A key created with access to admin-only routes can then be used to reach those routes successfully, bypassing the role-based access controls that would otherwise block the request, enabling full privilege escalation from internal_user to proxy_admin.
https://gist.github.com/13ph03nix/9ec616e1fdc77b3673509c60206e827fhttps://github.com/BerriAI/litellm/commit/2220f3076ac89bd2a2e3439acf57dcfbec2434c9https://github.com/BerriAI/litellm/commit/5190bd07eb23a037745d86328096f54378f1614ahttps://github.com/BerriAI/litellm/commit/d910a95661fce3cdd36f3b06c03ecf9c46c6457chttps://github.com/BerriAI/litellm/releases/tag/v1.83.14-stablehttps://huntr.com/bounties/8e75edfb-ff05-4e63-bfca-2d93d03fb3b9https://www.obsidiansecurity.com/blog/litellm-privilege-escalation-rcehttps://www.vulncheck.com/advisories/litellm-privilege-escalation-via-api-key-generationhttps://access.redhat.com/security/cve/CVE-2026-47101https://bugzilla.redhat.com/show_bug.cgi?id=2480635https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-47101.json
2026-05-21
Published