LiteLLM Default Account Flaw Gives Full Server Takeover

Get the Tech newsletter
Daily tech — startups, AI labs, chips, the launches that shape the next decade. Free.
- Obsidian Security disclosed a three-CVE chain in LiteLLM that lets a default internal_user reach proxy_admin and then server code execution, rated CVSS 9.9 Critical — the bypass, escalation, and sandbox-escape bugs are CVE-2026-47101, CVE-2026-47102, and CVE-2026-40217 respectively.
- BerriAI, the maintainer, shipped the complete fix set in LiteLLM v1.83.14-stable, which GitHub lists as released May 2; upgrades to that release or later close the chain.
- The escalation path runs: a user-generated virtual key stores a caller-supplied allowed_routes wildcard that the proxy also treats as a grant, opening /user/update, which then accepts a self-write of user_role: "proxy_admin" — VulnCheck scores that escalation 8.7 (CVSS 4.0) / 8.8 (CVSS 3.1).
- A successful takeover exposes the master key, the salt key that decrypts stored credentials, the database URL, and every configured provider key (OpenAI, Anthropic, Gemini, Bedrock, Azure), plus every prompt and response routed through the gateway.
- Obsidian demonstrated the response-forging attack against Claude Code routed through a compromised proxy: a developer who typed a single word — "hello" — triggered a reverse shell on their own machine, using LiteLLM's built-in callback mechanism to swap the model's response for a forged tool call that bypassed safety checks.
- LiteLLM has had three prior major incidents this year — a March supply-chain compromise backdooring two PyPI releases, a critical April SQL injection exploited within 36 hours of disclosure, and CVE-2026-42271 (a stdio-MCP subprocess bug) which was exploited in the wild and added to CISA's KEV catalog earlier this month.
- Remediation per Obsidian: upgrade to v1.83.14-stable or later, audit every proxy_admin account, review every Custom Code Guardrail, check litellm_settings.callbacks in config.yaml (which never appear in the console and are a natural hide spot for a post-RCE attacker), and rotate provider keys, database credentials, and stored MCP tokens if exposure is suspected.
Why it matters: LiteLLM proxies sit between AI apps and every provider key, so a server compromise doesn't just leak data — it lets an attacker forge model responses on the wire. Obsidian showed a developer typing 'hello' could trigger a reverse shell on their own machine through hijacked Claude Code output, and the gateway's position keeps making it a repeat target: March supply-chain backdoor, April SQLi exploited within 36 hours, now a CVSS 9.9 chain.

