Description
LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. Prior to 1.83.0, the /config/update endpoint does not enforce admin role authorization. A user who is already authenticated into the platform can then use this endpoint to modify proxy configuration and environment variables, register custom pass-through endpoint handlers pointing to attacker-controlled Python code, achieving remote code execution, read arbitrary server files by setting UI_LOGO_PATH and fetching via /get_image, and take over other privileged accounts by overwriting UI_USERNAME and UI_PASSWORD environment variables. Fixed in v1.83.0.
Published: 2026-04-06
Score: 8.7 High
EPSS: 13.3% Moderate
KEV: No
Impact: Remote Code Execution via Unrestricted Proxy Configuration
Action: Immediate Patch
AI Analysis

Impact

LiteLLM, an AI gateway that forwards requests to large language model APIs, contains a /config/update endpoint that accepts configuration changes without verifying the caller’s administrative privileges. This allows an authenticated user to modify proxy settings, environment variables, and register custom pass‑through handlers that execute attacker‑controlled Python code. As a result the attacker can achieve remote code execution, read arbitrary server files by setting UI_LOGO_PATH and retrieving the image, and impersonate privileged accounts by overriding UI_USERNAME and UI_PASSWORD. The vulnerability is a classic case of elevated privilege leading to arbitrary code execution, a high‑severity weakness reflected in the CVSS score of 8.7.

Affected Systems

The affected product is BerriAI’s LiteLLM, available before version 1.83.0. Any deployment of LiteLLM older than v1.83.0 that exposes the /config/update endpoint is vulnerable. The CVE description does not list additional vendors or downstream distributions, so only the primary LiteLLM product is mentioned.

Risk and Exploitability

This flaw scores 8.7 on the CVSS scale and has an EPSS of 13%, indicating a notable probability of exploitation in the wild. It is not enumerated in the CISA KEV catalog, but the potential impact of remote code execution makes it a high‑risk issue for any environment where LiteLLM is accessible. The exploit requires an already authenticated user; an attacker who can log in—whether legitimately or through credential compromise—can immediately trigger the vulnerability. No additional conditions are required beyond authentication, making the attack relatively straightforward once access is obtained.

Generated by OpenCVE AI on April 28, 2026 at 21:42 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official LiteLLM update to version 1.83.0 or newer.
  • If an immediate upgrade is not possible, restrict access to the /config/update endpoint to administrator accounts only, ensuring proper role checks are enforced.
  • Review and sanitize environment variables exposed via the configuration interface, particularly UI_LOGO_PATH, UI_USERNAME, and UI_PASSWORD.
  • Disable or remove any custom pass‑through endpoint handlers that allow execution of arbitrary Python code.
  • Monitor authentication logs for suspicious activity targeting the configuration endpoint.

Generated by OpenCVE AI on April 28, 2026 at 21:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-53mr-6c8q-9789 LiteLLM: Privilege escalation via unrestricted proxy configuration endpoint
History

Wed, 08 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-425
References
Metrics threat_severity

None

 threat_severity

Important

Tue, 07 Apr 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Litellm
Litellm litellm
CPEs cpe:2.3:a:litellm:litellm:*:*:*:*:*:*:*:*
Vendors & Products Litellm
Litellm litellm
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Tue, 07 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
First Time appeared Berriai
Berriai litellm
Vendors & Products Berriai
Berriai litellm

Mon, 06 Apr 2026 20:00:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 06 Apr 2026 18:00:00 +0000

Type Values Removed Values Added
Description LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. Prior to 1.83.0, he /config/update endpoint does not enforce admin role authorization. A user who is already authenticated into the platform can then use this endpoint to modify proxy configuration and environment variables, register custom pass-through endpoint handlers pointing to attacker-controlled Python code, achieving remote code execution, read arbitrary server files by setting UI_LOGO_PATH and fetching via /get_image, and take over other privileged accounts by overwriting UI_USERNAME and UI_PASSWORD environment variables. Fixed in v1.83.0. LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. Prior to 1.83.0, the /config/update endpoint does not enforce admin role authorization. A user who is already authenticated into the platform can then use this endpoint to modify proxy configuration and environment variables, register custom pass-through endpoint handlers pointing to attacker-controlled Python code, achieving remote code execution, read arbitrary server files by setting UI_LOGO_PATH and fetching via /get_image, and take over other privileged accounts by overwriting UI_USERNAME and UI_PASSWORD environment variables. Fixed in v1.83.0.

Mon, 06 Apr 2026 16:45:00 +0000

Type Values Removed Values Added
Description LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. Prior to 1.83.0, he /config/update endpoint does not enforce admin role authorization. A user who is already authenticated into the platform can then use this endpoint to modify proxy configuration and environment variables, register custom pass-through endpoint handlers pointing to attacker-controlled Python code, achieving remote code execution, read arbitrary server files by setting UI_LOGO_PATH and fetching via /get_image, and take over other privileged accounts by overwriting UI_USERNAME and UI_PASSWORD environment variables. Fixed in v1.83.0.
Title LiteLLM affected by privilege escalation via unrestricted proxy configuration endpoint
Weaknesses CWE-863
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:N'}

Subscriptions

Berriai Litellm
Litellm Litellm
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-06T18:41:19.672Z

Reserved: 2026-03-31T21:06:06.427Z

Link: CVE-2026-35029

cve-icon Vulnrichment

Updated: 2026-04-06T18:41:13.667Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-06T17:17:12.353

Modified: 2026-04-07T20:21:42.893

Link: CVE-2026-35029

cve-icon Redhat

Severity : Important

Publid Date: 2026-04-06T16:35:28Z

Links: CVE-2026-35029 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T21:45:26Z

Weaknesses