CVE-2026-35029: CWE-863: Incorrect Authorization in BerriAI litellm
LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. Prior to 1.83.0, the /config/update endpoint does not enforce admin role authorization. A user who is already authenticated into the platform can then use this endpoint to modify proxy configuration and environment variables, register custom pass-through endpoint handlers pointing to attacker-controlled Python code, achieving remote code execution, read arbitrary server files by setting UI_LOGO_PATH and fetching via /get_image, and take over other privileged accounts by overwriting UI_USERNAME and UI_PASSWORD environment variables. Fixed in v1.83.0.
AI Analysis
Technical Summary
LiteLLM, a proxy server for calling LLM APIs, had an authorization flaw in its /config/update endpoint before version 1.83.0. The endpoint did not enforce admin role checks, enabling authenticated users to alter proxy configurations and environment variables. Attackers could register custom pass-through handlers pointing to malicious Python code to achieve remote code execution, read arbitrary server files by manipulating UI_LOGO_PATH, and hijack privileged accounts by changing UI_USERNAME and UI_PASSWORD environment variables. The issue is tracked as CWE-863 (Incorrect Authorization) and carries a CVSS 4.0 score of 8.7, indicating high severity. The vulnerability was fixed in LiteLLM version 1.83.0.
Potential Impact
An authenticated user without admin privileges can exploit this vulnerability to execute arbitrary code on the server, read sensitive files, and take over privileged accounts. This compromises the confidentiality, integrity, and availability of the affected system. The high CVSS score reflects the critical impact on system security if exploited.
Mitigation Recommendations
Upgrade LiteLLM to version 1.83.0 or later, where the authorization checks on the /config/update endpoint are properly enforced. Since no official patch link or vendor advisory was provided, verify the upgrade from the official BerriAI sources. Until upgraded, restrict access to authenticated users and monitor for suspicious activity related to configuration changes.
CVE-2026-35029: CWE-863: Incorrect Authorization in BerriAI litellm
Description
LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. Prior to 1.83.0, the /config/update endpoint does not enforce admin role authorization. A user who is already authenticated into the platform can then use this endpoint to modify proxy configuration and environment variables, register custom pass-through endpoint handlers pointing to attacker-controlled Python code, achieving remote code execution, read arbitrary server files by setting UI_LOGO_PATH and fetching via /get_image, and take over other privileged accounts by overwriting UI_USERNAME and UI_PASSWORD environment variables. Fixed in v1.83.0.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
LiteLLM, a proxy server for calling LLM APIs, had an authorization flaw in its /config/update endpoint before version 1.83.0. The endpoint did not enforce admin role checks, enabling authenticated users to alter proxy configurations and environment variables. Attackers could register custom pass-through handlers pointing to malicious Python code to achieve remote code execution, read arbitrary server files by manipulating UI_LOGO_PATH, and hijack privileged accounts by changing UI_USERNAME and UI_PASSWORD environment variables. The issue is tracked as CWE-863 (Incorrect Authorization) and carries a CVSS 4.0 score of 8.7, indicating high severity. The vulnerability was fixed in LiteLLM version 1.83.0.
Potential Impact
An authenticated user without admin privileges can exploit this vulnerability to execute arbitrary code on the server, read sensitive files, and take over privileged accounts. This compromises the confidentiality, integrity, and availability of the affected system. The high CVSS score reflects the critical impact on system security if exploited.
Mitigation Recommendations
Upgrade LiteLLM to version 1.83.0 or later, where the authorization checks on the /config/update endpoint are properly enforced. Since no official patch link or vendor advisory was provided, verify the upgrade from the official BerriAI sources. Until upgraded, restrict access to authenticated users and monitor for suspicious activity related to configuration changes.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-03-31T21:06:06.427Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69d3ea320a160ebd92c9fda1
Added to database: 4/6/2026, 5:15:30 PM
Last enriched: 4/30/2026, 1:56:47 AM
Last updated: 5/22/2026, 2:30:42 PM
Views: 104
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.