CVE-2026-47102
published 2026-05-21CVE-2026-47102: LiteLLM prior to 1.83.10 allows a user to modify their own user_role via the /user/update endpoint. While the endpoint correctly restricts users to updating…
PriorityP262high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
0.65%
46.6th percentile
LiteLLM prior to 1.83.10 allows a user to modify their own user_role via the /user/update endpoint. While the endpoint correctly restricts users to updating only their own account, it does not restrict which fields may be changed. A user who can reach this endpoint can set their role to proxy_admin, gaining full administrative access to LiteLLM including all users, teams, keys, models, and prompt history. Users with the org_admin role have legitimate access to this endpoint and can exploit this vulnerability without chaining any additional flaw.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| berriai | litellm | < 1.83.10 | 1.83.10 |
| exploit-intelligence-tech-preview | vulnerability-analysis-rhel9 | — | — |
| litellm | litellm | < 1.83.10 | 1.83.10 |
| litellm | litellm | >= 0 < 1.83.10 | 1.83.10 |
| rhoai | odh-llama-stack-core-rhel9 | — | — |
| rhoai | odh-mlflow-rhel9 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Alert on any PATCH/POST request to /user/update or /user/bulk_update that contains the field user_role in the request body, especially when the value is set to proxy_admin, from a non-admin authenticated user. ↗
- →Audit user_role assignments in the LiteLLM database for unexpected proxy_admin promotions, particularly for accounts that were previously internal_user or org_admin. ↗
- →Users with org_admin role can exploit this vulnerability directly without any additional bypass — monitor org_admin accounts making requests to /user/update that modify user_role. ↗
- →When chained with CVE-2026-47101, an internal_user can reach /user/update via a wildcard allowed_routes key (allowed_routes: ["/*"]) — correlate key creation events containing wildcard allowed_routes with subsequent /user/update calls. ↗
- →Review litellm_settings.callbacks entries in config.yaml for unexpected or unknown callback handlers, as post-exploitation persistence may be hidden there since callbacks never appear in the admin console UI. ↗
- ·The vulnerability affects LiteLLM versions prior to 1.83.10; the full three-CVE chain fix is included in v1.83.14-stable. Deployments that do not expose the proxy user-management API have reduced exposure. ↗
- ·Red Hat OpenShift AI (RHOAI) packages odh-llama-stack-core-rhel9 and odh-mlflow-rhel9 are confirmed affected; ansible-automation-platform lightspeed-chatbot and odh-trustyai-garak-lls-provider-dsp-rhel9 are confirmed not affected. ↗
- ·Reaching proxy_admin via this CVE is effectively equivalent to host-level code execution, as proxy_admin can register stdio MCP servers that the proxy launches as local subprocesses. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv4.08.7HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vendor_redhat8.8HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
litellm: LiteLLM: Privilege escalation through user role modification
vendor_redhat·2026-05-21·CVSS 8.8
CVE-2026-47102 [HIGH] CWE-915 litellm: LiteLLM: Privilege escalation through user role modification
litellm: LiteLLM: Privilege escalation through user role modification
LiteLLM prior to 1.83.10 allows a user to modify their own user_role via the /user/update endpoint. While the endpoint correctly restricts users to updating only their own account, it does not restrict which fields may be changed. A user who can reach this endpoint can set their role to proxy_admin, gaining full administrative access to LiteLLM including all users, teams, keys, models, and prompt history. Users with the org_admin role have legitimate access to this endpoint and can exploit this vulnerability without chaining any additional flaw.
A flaw was found in LiteLLM. A user with access to the `/user/update` endpoint can exploit a privilege escalation vulnerability. By modifying their own `user_role` to `proxy_ad
GHSA
LiteLLM allows a user to modify their own user_role via the /user/update endpoint
ghsa·2026-05-21
CVE-2026-47102 [HIGH] CWE-863 LiteLLM allows a user to modify their own user_role via the /user/update endpoint
LiteLLM allows a user to modify their own user_role via the /user/update endpoint
LiteLLM prior to 1.83.10 allows a user to modify their own user_role via the /user/update endpoint. While the endpoint correctly restricts users to updating only their own account, it does not restrict which fields may be changed. A user who can reach this endpoint can set their role to proxy_admin, gaining full administrative access to LiteLLM including all users, teams, keys, models, and prompt history. Users with the org_admin role have legitimate access to this endpoint and can exploit this vulnerability without chaining any additional flaw.
GHSA
GHSA-wpfp-gwwc-vwq6: LiteLLM prior to 1
ghsa_unreviewed·2026-05-21
CVE-2026-47102 [HIGH] CWE-863 GHSA-wpfp-gwwc-vwq6: LiteLLM prior to 1
LiteLLM prior to 1.83.10 allows a user to modify their own user_role via the /user/update endpoint. While the endpoint correctly restricts users to updating only their own account, it does not restrict which fields may be changed. A user who can reach this endpoint can set their role to proxy_admin, gaining full administrative access to LiteLLM including all users, teams, keys, models, and prompt history. Users with the org_admin role have legitimate access to this endpoint and can exploit this vulnerability without chaining any additional flaw.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2026-47102 litellm: LiteLLM: Privilege escalation through user role modification
bugzilla·2026-05-21·CVSS 8.8
CVE-2026-47102 [HIGH] CVE-2026-47102 litellm: LiteLLM: Privilege escalation through user role modification
CVE-2026-47102 litellm: LiteLLM: Privilege escalation through user role modification
LiteLLM prior to 1.83.10 allows a user to modify their own user_role via the /user/update endpoint. While the endpoint correctly restricts users to updating only their own account, it does not restrict which fields may be changed. A user who can reach this endpoint can set their role to proxy_admin, gaining full administrative access to LiteLLM including all users, teams, keys, models, and prompt history. Users with the org_admin role have legitimate access to this endpoint and can exploit this vulnerability without chaining any additional flaw.
Hackernews
⚡ Weekly Recap: Browser Bugs, EDR Killers, TV Botnet, OpenBSD Flaw, Android Trojan, and More
blogs_hackernews·2026-06-22·CVSS 9.8
CVE-2026-24858 [CRITICAL] ⚡ Weekly Recap: Browser Bugs, EDR Killers, TV Botnet, OpenBSD Flaw, Android Trojan, and More
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## ⚡ Weekly Recap: Browser Bugs, EDR Killers, TV Botnet, OpenBSD Flaw, Android Trojan, and More
It’s Monday again.
This week’s threat list looks painfully familiar: abused integrations, fake tools, poisoned websites, ransomware crews trying to shut down security tools, and mobile malware asking for way too much control.
The annoying part is how little of this feels new. Weak credentials, sketchy downloads, browser extensions with too much access, and WordPress sites are used to push more attacks. Nothing clever. Just sloppy, cheap, and effective.
Here’s the Monday recap. Let’s get into the week’s mess.
## ⚡ Threat of the We
Hackernews
LiteLLM Vulnerability Chain Lets Low-Privilege Users Take Over AI Gateway Servers
blogs_hackernews·2026-06-15·CVSS 8.8
CVE-2026-47101 [HIGH] LiteLLM Vulnerability Chain Lets Low-Privilege Users Take Over AI Gateway Servers
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## LiteLLM Vulnerability Chain Lets Low-Privilege Users Take Over AI Gateway Servers
A default low-privilege account on a LiteLLM proxy can climb to full admin and run code on the server by chaining three vulnerabilities, researchers at Obsidian Security disclosed
LiteLLM is a widely deployed open-source AI gateway that brokers calls to more than 100 model providers behind one OpenAI-compatible interface.
A server takeover exposes every provider key it holds, the secrets that decrypt its stored credentials, and every prompt and response passing through it.
Obsidian rates the full chain CVSS 9.9, in the Critical range. BerriAI
https://gist.github.com/13ph03nix/9ec616e1fdc77b3673509c60206e827fhttps://github.com/BerriAI/litellm/commit/128d32d2494b759c5d15da3452452af4c6a34c01https://github.com/BerriAI/litellm/commit/e6f18ce75b111c9b93dc15c72894cbdeb53177cehttps://github.com/BerriAI/litellm/pull/25541https://github.com/BerriAI/litellm/releases/tag/v1.83.10-stablehttps://huntr.com/bounties/8e75edfb-ff05-4e63-bfca-2d93d03fb3b9https://www.obsidiansecurity.com/blog/litellm-privilege-escalation-rcehttps://www.vulncheck.com/advisories/litellm-privilege-escalation-via-user-updatehttps://access.redhat.com/security/cve/CVE-2026-47102https://bugzilla.redhat.com/show_bug.cgi?id=2480634https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-47102.json
2026-05-21
Published