cbcvebase.
CVE-2026-47102
published 2026-05-21

CVE-2026-47102: LiteLLM prior to 1.83.10 allows a user to modify their own user_role via the /user/update endpoint. While the endpoint correctly restricts users to updating…

PriorityP262high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
0.65%
46.6th percentile
LiteLLM prior to 1.83.10 allows a user to modify their own user_role via the /user/update endpoint. While the endpoint correctly restricts users to updating only their own account, it does not restrict which fields may be changed. A user who can reach this endpoint can set their role to proxy_admin, gaining full administrative access to LiteLLM including all users, teams, keys, models, and prompt history. Users with the org_admin role have legitimate access to this endpoint and can exploit this vulnerability without chaining any additional flaw.

Affected

6 ranges
VendorProductVersion rangeFixed in
berriailitellm< 1.83.101.83.10
exploit-intelligence-tech-previewvulnerability-analysis-rhel9
litellmlitellm< 1.83.101.83.10
litellmlitellm>= 0 < 1.83.101.83.10
rhoaiodh-llama-stack-core-rhel9
rhoaiodh-mlflow-rhel9

Detection & IOCsextracted from sources · hover to see the quote

url/user/update
url/user/bulk_update
commanduser_role: "proxy_admin"
  • Alert on any PATCH/POST request to /user/update or /user/bulk_update that contains the field user_role in the request body, especially when the value is set to proxy_admin, from a non-admin authenticated user.
  • Audit user_role assignments in the LiteLLM database for unexpected proxy_admin promotions, particularly for accounts that were previously internal_user or org_admin.
  • Users with org_admin role can exploit this vulnerability directly without any additional bypass — monitor org_admin accounts making requests to /user/update that modify user_role.
  • When chained with CVE-2026-47101, an internal_user can reach /user/update via a wildcard allowed_routes key (allowed_routes: ["/*"]) — correlate key creation events containing wildcard allowed_routes with subsequent /user/update calls.
  • Review litellm_settings.callbacks entries in config.yaml for unexpected or unknown callback handlers, as post-exploitation persistence may be hidden there since callbacks never appear in the admin console UI.
  • ·The vulnerability affects LiteLLM versions prior to 1.83.10; the full three-CVE chain fix is included in v1.83.14-stable. Deployments that do not expose the proxy user-management API have reduced exposure.
  • ·Red Hat OpenShift AI (RHOAI) packages odh-llama-stack-core-rhel9 and odh-mlflow-rhel9 are confirmed affected; ansible-automation-platform lightspeed-chatbot and odh-trustyai-garak-lls-provider-dsp-rhel9 are confirmed not affected.
  • ·Reaching proxy_admin via this CVE is effectively equivalent to host-level code execution, as proxy_admin can register stdio MCP servers that the proxy launches as local subprocesses.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv4.08.7HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vendor_redhat8.8HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.