Researchers at Obsidian Security disclosed a critical vulnerability chain in LiteLLM involving three bugs: CVE-2026-47101 (authorization bypass via unchecked allowed_routes field), CVE-2026-47102 (privilege escalation by modifying user_role to proxy_admin), and CVE-2026-40217 (sandbox escape via unsafe exec() usage in Custom Code Guardrail). Together, these allow a low-privilege internal user to gain full proxy admin rights and execute arbitrary code on the server. This compromises all provider keys, encrypted credentials (decryptable with exposed salt key), and all data routed through the proxy. The attacker can also manipulate AI model responses using LiteLLM's callback mechanism, enabling remote code execution on client machines. The maintainer fixed these issues in version 1.83.14-stable released May 2, 2026.

Successful exploitation results in full server takeover of the LiteLLM proxy, exposing all AI provider keys, decryption keys for stored credentials, database URLs, and all prompt/response data including potentially sensitive information. The attacker can execute arbitrary code on the server and manipulate AI model responses in transit, potentially causing downstream compromise of client systems. This represents a critical security risk to any deployment using vulnerable versions of LiteLLM.

Upgrade LiteLLM to version 1.83.14-stable or later, which contains the complete fix set for the three vulnerabilities. After upgrading, audit all accounts with proxy_admin privileges and treat them as having host-level access. Review all Custom Code Guardrails and callbacks configured in litellm_settings.callbacks, as these can be abused post-compromise. Verify the integrity of deployed code and rotate all provider keys, database credentials, and MCP tokens if exposure is suspected. No other mitigations are indicated beyond applying the official patch and conducting thorough post-patch audits.