LiteLLM proxy privilege-escalation and RCE chain (multiple vulnerabilities)
Vulnerability
Summary
Hide ▲
Show ▼
LiteLLM proxy now has a disclosed three-CVE chain that lets a low-privilege user reach proxy_admin and run code on the server, putting provider keys and stored credentials at risk. BerriAI bundled the full fix set in LiteLLM v1.83.14-stable, which GitHub lists as released May 2. The chained bugs are CVE-2026-47101, CVE-2026-47102, and CVE-2026-40217.
Related Happenings
BerriAI LiteLLM actively exploited command injection (CVE-2026-42271)
Vulnerability
H score51
First: 09.06.2026 09:26
Last: 09.06.2026 09:26
Sources 1
About this happening:
**CVE-2026-42271** in **BerriAI LiteLLM** was added to CISA's **KEV catalog** after evidence of **active exploitation**, creating remote command-execution risk for affected proxy...
BerriAI LiteLLM actively exploited command injection (CVE-2026-42271)
VulnerabilityAbout this happening: **CVE-2026-42271** in **BerriAI LiteLLM** was added to CISA's **KEV catalog** after evidence of **active exploitation**, creating remote command-execution risk for affected proxy...
Cloud Software Group NetScaler urgent remediation advisory
Advisory/Mitigation
H score55
First: 25.03.2026 17:52
Last: 25.03.2026 17:52
Sources 1
About this happening:
**Cloud Software Group** issued urgent remediation guidance for **NetScaler ADC** and **NetScaler Gateway**, telling affected customers to install updated versions as soon as poss...
Cloud Software Group NetScaler urgent remediation advisory
Advisory/MitigationAbout this happening: **Cloud Software Group** issued urgent remediation guidance for **NetScaler ADC** and **NetScaler Gateway**, telling affected customers to install updated versions as soon as poss...
Timeline
-
15.06.2026 19:39 2 articles · 2h ago
Obsidian Security discloses a LiteLLM proxy chain that reaches proxy admin and server-side code execution
Initial DisclosureObsidian Security discloses a three-vulnerability chain in LiteLLM proxy deployments where a default internal_user can store an unchecked allowed_routes value, reach admin-only handlers, rewrite user_role to proxy_admin through /user/update, and use the Custom Code Guardrail path to execute code on the server. The chain is rated CVSS 9.9 and can expose provider keys, stored credentials, and prompts and responses flowing through the gateway.
Show sources
- LiteLLM Vulnerability Chain Lets Low-Privilege Users Take Over AI Gateway Servers — thehackernews.com — 15.06.2026 19:39
- LiteLLM Vulnerability Chain Lets Low-Privilege Users Take Over AI Gateway Servers — thehackernews.com — 15.06.2026 19:39
-
02.05.2026 03:00 1 articles · 1mo ago
BerriAI ships LiteLLM v1.83.14-stable with fixes for the proxy takeover chain
Mitigation Patch UpdateBerriAI releases LiteLLM v1.83.14-stable with the complete fix set for the LiteLLM proxy vulnerabilities that allow a low-privilege user to reach proxy admin and run code on the server. GitHub lists the release as May 2, and operators are told to upgrade to that version or later to close the chain.
Show sources
- LiteLLM Vulnerability Chain Lets Low-Privilege Users Take Over AI Gateway Servers — thehackernews.com — 15.06.2026 19:39