CVE-2026-47102 - Vulnerability Details

- LiteLLM < 1.83.10 Privilege Escalation via User Update

Description

LiteLLM prior to 1.83.10 allows a user to modify their own user_role via the /user/update endpoint. While the endpoint correctly restricts users to updating only their own account, it does not restrict which fields may be changed. A user who can reach this endpoint can set their role to proxy_admin, gaining full administrative access to LiteLLM including all users, teams, keys, models, and prompt history. Users with the org_admin role have legitimate access to this endpoint and can exploit this vulnerability without chaining any additional flaw.

Published: 2026-05-21

Score: 8.7 High

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

LiteLLM versions prior to 1.83.10 expose an endpoint capable of updating a user’s own profile. While the /user/update endpoint correctly limits updates to the requester’s account, it fails to restrict which profile fields can be modified. An attacker can therefore alter the user_role field and claim the proxy_admin role, giving them comprehensive administrative access over all users, teams, keys, models, and prompt history. The weakness stems from a lack of field‑level authorization checks (CWE‑863).

Affected Systems

The vulnerability affects BerriAI’s LiteLLM application, specifically all releases earlier than version 1.83.10. Any deployment of these impacted versions is susceptible if the /user/update endpoint is exposed to authenticated users.

Risk and Exploitability

With a CVSS score of 8.7, the vulnerability is considered high risk. Although no EPSS score is available, the flaw enables direct privilege escalation without chaining additional vulnerabilities, and users with the org_admin role can exploit it immediately. Because the endpoint is accessible to legitimate users within the application, the risk of exploitation is significant, especially in environments where the /user/update route is exposed without additional safeguards. The defect is not listed in the CISA KEV catalog but its severity and the ability to leverage existing authenticated sessions make it a compelling target for attackers.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

BerriAI

litellm

affected

Version	Status	Constraints
`0`	affected	< 1.83.10

No data.

Vendor Product Confidence Versions

Berriai

Litellm

100%

Version	Status	Scheme	Platform
`[0,1.83.10)`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade LiteLLM to version 1.83.10 or later to contain the flaw.
Restrict the /user/update endpoint or enforce field‑level authorization rules so that only permitted fields (e.g., email, name) can be changed by normal users.
Enable and regularly review audit logging for changes to user_role and monitor for abnormal privilege escalations.

Generated by OpenCVE AI on May 21, 2026 at 22:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://gist.github.com/13ph03nix/9ec616e1fdc77b3673509c60206e827f
https://github.com/BerriAI/litellm/commit/128d32d2494b759c5d15da3452452af4c6a34c01
https://github.com/BerriAI/litellm/commit/e6f18ce75b111c9b93dc15c72894cbdeb53177ce
https://github.com/BerriAI/litellm/pull/25541
https://github.com/BerriAI/litellm/releases/tag/v1.83.10-stable
https://huntr.com/bounties/8e75edfb-ff05-4e63-bfca-2d93d03fb3b9
https://www.vulncheck.com/advisories/litellm-privilege-escalation-via-user-update

History

Thu, 21 May 2026 23:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Berriai Berriai litellm
Vendors & Products		Berriai Berriai litellm

Thu, 21 May 2026 21:00:00 +0000

Type	Values Removed	Values Added
Description		LiteLLM prior to 1.83.10 allows a user to modify their own user_role via the /user/update endpoint. While the endpoint correctly restricts users to updating only their own account, it does not restrict which fields may be changed. A user who can reach this endpoint can set their role to proxy_admin, gaining full administrative access to LiteLLM including all users, teams, keys, models, and prompt history. Users with the org_admin role have legitimate access to this endpoint and can exploit this vulnerability without chaining any additional flaw.
Title		LiteLLM < 1.83.10 Privilege Escalation via User Update
Weaknesses		CWE-863
References		https://gist.github.com/13ph03nix/9ec616e1fdc77b3673509c60206e827f https://github.com/BerriAI/litellm/commit/128d32d2494b759c5d15da3452452af4c6a34c01 https://github.com/BerriAI/litellm/commit/e6f18ce75b111c9b93dc15c72894cbdeb53177ce https://github.com/BerriAI/litellm/pull/25541 https://github.com/BerriAI/litellm/releases/tag/v1.83.10-stable https://huntr.com/bounties/8e75edfb-ff05-4e63-bfca-2d93d03fb3b9 https://www.vulncheck.com/advisories/litellm-privilege-escalation-via-user-update
Metrics		cvssV3_1 `{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}` cvssV4_0 `{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}`

Subscriptions

Berriai Litellm

MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published: 2026-05-21T20:34:37.893Z

Updated: 2026-05-21T20:34:37.893Z

Reserved: 2026-05-18T19:22:26.748Z

Link: CVE-2026-47102

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-05-21T21:16:32.557

Modified: 2026-05-21T21:16:32.557

Link: CVE-2026-47102

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-21T22:45:21Z

Weaknesses

CWE-863

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object