CVE-2026-40217 - Vulnerability Details

- LiteLLM: LiteLLM: Arbitrary Code Execution via bytecode rewriting

Description

LiteLLM through 2026-04-08 allows remote attackers to execute arbitrary code via bytecode rewriting at the /guardrails/test_custom_code URI.

Published: 2026-04-10

Score: 8.8 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

LiteLLM implementations prior to April 8 2026 contain a flaw that allows attackers to inject and execute arbitrary bytecode through the /guardrails/test_custom_code endpoint. The vulnerability stems from unsafe bytecode rewriting, which can lead to execution of arbitrary code on the host system. This flaw can compromise confidentiality, integrity, and availability of the affected environment, potentially allowing a remote attacker to gain full control of the affected service.

Affected Systems

The issue affects BerriAI’s LiteLLM product. All versions of LiteLLM released on or before April 8 2026 are impacted. Precise version numbers are not listed, so any installation derived from the affected code base should be assumed vulnerable.

Risk and Exploitability

The CVSS score of 8.8 indicates high severity, while an EPSS score below 1 % suggests limited current exploitation activity. The vulnerability is not currently flagged in the CISA KEV catalog. Based on the description, the likely attack vector is a remote HTTP request to the /guardrails/test_custom_code URI, requiring network reachability to the service. If the endpoint is publicly reachable, an attacker can exploit this flaw without user interaction. The absence of additional mitigations in the cited advisory indicates the flaw can be fully leveraged once the endpoint is reachable.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

BerriAI

LiteLLM

unknown

Version	Status	Constraints
`bb0639701796218a3447160e55c0f1097446e4e6085df7dfd39f476d4143743f`	affected	—

Configuration 1 [-]

cpe:2.3:a:litellm:litellm:*:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Berriai

Litellm

100%

Version	Status	Scheme	Platform
`bb0639701796218a3447160e55c0f1097446e4e6085df7dfd39f476d4143743f`	affected	code_commit	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade LiteLLM to a version released after April 8 2026 or apply the vendor‑provided patch. If a patch is not yet available, disable or restrict access to the /guardrails/test_custom_code endpoint. Deploy network controls to block external traffic to the vulnerable endpoint until a patch is applied. Verify the update with vendor documentation or security advisories.

Generated by OpenCVE AI on April 14, 2026 at 01:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.0024.

Exploitation poc

Automatable no

Technical Impact total

References

Link	Providers
https://nvd.nist.gov/vuln/detail/CVE-2026-40217
https://www.cve.org/CVERecord?id=CVE-2026-40217
https://www.x41-dsec.de/lab/advisories/x41-2026-001-litellm/

History

Mon, 27 Apr 2026 23:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Litellm Litellm litellm
CPEs		cpe:2.3:a:litellm:litellm::::::::
Vendors & Products		Litellm Litellm litellm

Tue, 14 Apr 2026 15:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Tue, 14 Apr 2026 00:15:00 +0000

Type	Values Removed	Values Added
Title	Remote Code Execution via Bytecode Rewriting on /guardrails/test_custom_code in LiteLLM	LiteLLM: LiteLLM: Arbitrary Code Execution via bytecode rewriting
Weaknesses		CWE-94
References		https://nvd.nist.gov/vuln/detail/CVE-2026-40217 https://www.cve.org/CVERecord?id=CVE-2026-40217
Metrics	threat_severity `None`	threat_severity `Important`

Mon, 13 Apr 2026 14:30:00 +0000

Type	Values Removed	Values Added
Title		Remote Code Execution via Bytecode Rewriting on /guardrails/test_custom_code in LiteLLM

Mon, 13 Apr 2026 13:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Berriai Berriai litellm
Vendors & Products		Berriai Berriai litellm

Fri, 10 Apr 2026 14:15:00 +0000

Type	Values Removed	Values Added
Description		LiteLLM through 2026-04-08 allows remote attackers to execute arbitrary code via bytecode rewriting at the /guardrails/test_custom_code URI.
Weaknesses		CWE-420
References		https://www.x41-dsec.de/lab/advisories/x41-2026-001-litellm/
Metrics		cvssV3_1 `{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}`

Subscriptions

Berriai Litellm

Litellm Litellm

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2026-04-10T13:43:23.147Z

Updated: 2026-04-14T14:39:03.619Z

Reserved: 2026-04-10T13:43:22.641Z

Link: CVE-2026-40217

Vulnrichment

Updated: 2026-04-14T14:38:56.870Z

NVD

Status : Analyzed

Published: 2026-04-10T14:16:36.307

Modified: 2026-04-27T23:00:47.880

Link: CVE-2026-40217

Redhat

Severity : Important

Publid Date: 2026-04-10T13:43:23Z

Links: CVE-2026-40217 - Bugzilla

OpenCVE Enrichment

Updated: 2026-04-14T16:36:31Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation poc

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object