{"slug": "litellm-cve-chain-a-default-user-account-becomes-full-server-access", "title": "LiteLLM CVE Chain: A Default User Account Becomes Full Server Access", "summary": "CISA confirmed active exploitation of CVE-2026-42271 in LiteLLM, an open-source AI gateway, and set a June 22 federal remediation deadline. Obsidian Security disclosed a three-vulnerability chain allowing default users to escalate to full server access, exposing all provider API keys. Qilin ransomware is actively targeting unpatched deployments.", "body_md": "CISA confirmed active exploitation of CVE-2026-42271 in LiteLLM and set a June 22 federal remediation deadline. That deadline applies to government agencies under BOD 22-01, but if you run a LiteLLM proxy in any production environment, the deadline should feel personal. Qilin ransomware is already moving on unpatched deployments.\n\nThe timing matters because June 15 brought something more alarming than the command injection flaw CISA flagged weeks ago. [Obsidian Security published a three-vulnerability chain](https://www.obsidiansecurity.com/blog/litellm-privilege-escalation-rce) that lets a default LiteLLM user — a viewer account, no special permissions — escalate to full proxy administrator and then execute arbitrary code on the gateway server. Every provider API key stored in that server becomes available to the attacker.\n\n## What LiteLLM Is (and Why It’s Worth Targeting)\n\nLiteLLM is an open-source AI gateway. Teams use it to put a single OpenAI-compatible API in front of 100+ model providers — OpenAI, Anthropic, Google Vertex AI, AWS Bedrock, Azure OpenAI, and more. One endpoint, one key management system, one place to handle rate limiting, cost tracking, and load balancing across providers.\n\nThat centralization is exactly what makes it valuable to attackers. A compromised LiteLLM instance doesn’t just give you one API key. It gives you all of them, plus the master key, the database URL, and shell access to whatever is running on the host.\n\n## The Three-Step Chain\n\nThe chain discovered by Obsidian Security links three separate flaws in sequence. Each step is relatively simple. Together, they reduce a full server takeover to a matter of minutes from a default user account.\n\n### Step 1: Mint a Key With Admin Route Access (CVE-2026-47101)\n\nLiteLLM lets users create virtual API keys and supply an `allowed_routes`\n\nfield to restrict which endpoints that key can reach. The problem: LiteLLM persists whatever you put in that field without validation. A standard user can call `/key/generate`\n\nand set `allowed_routes: [\"/*\"]`\n\n— granting the resulting key access to every endpoint, including admin-only routes. The server accepts it and saves it.\n\n### Step 2: Promote Yourself to Admin (CVE-2026-47102)\n\nWith admin route access from the key you just minted, you can now reach `/user/update`\n\n. This endpoint lets users modify their own records. It doesn’t restrict which fields are editable. Send a self-update with `user_role: \"proxy_admin\"`\n\nand LiteLLM promotes your account to full administrator, no questions asked.\n\n### Step 3: Get a Shell (CVE-2026-40217)\n\nAs a proxy admin, you have access to the Custom Code Guardrail feature, which lets admins supply Python code for content filtering via the `/guardrails/test_custom_code`\n\nendpoint. That code runs through `exec()`\n\n. There is a regex filter intended to block dangerous operations, but it can be bypassed by rewriting function bytecode — a well-documented technique that accesses restricted Python built-ins. From there, arbitrary shell commands execute on the host.\n\nStart as a viewer. End with a shell. The whole chain requires only a default user account to initiate.\n\n## The Unauthenticated Variant\n\nCVE-2026-42271 is a command injection flaw in LiteLLM’s MCP preview endpoints (`/mcp-rest/test/connection`\n\nand `/mcp-rest/test/tools/list`\n\n). These endpoints accept a full MCP server configuration, including a `command`\n\nfield for stdio transport. That command field passes to the host OS without sanitization. An attacker with any valid API key can run arbitrary binaries on the server.\n\nOn its own, that requires a credential. Chained with CVE-2026-48710 — the Starlette “BadHost” host-header authentication bypass [we covered in May](https://byteiota.com/cve-2026-48710-badhost-starlette-fastapi-ai-agents/) — the credential requirement disappears. Unauthenticated remote code execution. CVSS 10.0. This is the variant CISA flagged as actively exploited, attributed to Qilin ransomware with medium confidence.\n\n## What’s Actually at Risk\n\nA successful attack against a LiteLLM gateway doesn’t hand an attacker one API key. It hands them everything the gateway holds:\n\n- Provider API keys for every connected service (OpenAI, Anthropic, Google, Bedrock, Azure)\n- LiteLLM master key and salt key\n- PostgreSQL connection string and database credentials\n- Full shell access to the host server\n\nEnterprise LiteLLM deployments often run with high API billing limits across multiple providers. Key theft means quota exhaustion attacks and direct financial exposure, in addition to the risk of every AI workflow being intercepted or manipulated.\n\n## Patch and Remediation Steps\n\nThe fix is available. [LiteLLM v1.83.14-stable](https://github.com/BerriAI/litellm/releases/tag/v1.83.14-stable) addresses the three-CVE chain. Starlette v1.0.1 patches CVE-2026-48710. Both updates are needed to close the unauthenticated RCE path.\n\nPatching alone isn’t enough if you’ve been running a vulnerable version. Treat all provider keys as potentially compromised:\n\n**Upgrade** to LiteLLM v1.83.14-stable and Starlette v1.0.1**Rotate all provider keys**— revoke and regenerate at every upstream provider (OpenAI, Anthropic, Google, AWS, Azure)** Audit proxy_admin accounts**— remove any accounts you don’t recognize; CVE-2026-47102 may have created unauthorized admins without your knowledge** Disable Custom Code Guardrails**if not actively in use (removes the`exec()`\n\nattack surface from CVE-2026-40217)**Block MCP REST test endpoints** at the network layer if an immediate upgrade isn’t feasible:`/mcp-rest/test/connection`\n\nand`/mcp-rest/test/tools/list`\n\nAfter rotation, confirm old keys are invalidated at the upstream provider level — not just removed from LiteLLM’s configuration. [The Hacker News has additional technical detail](https://thehackernews.com/2026/06/litellm-vulnerability-chain-lets-low.html) on the chain for teams doing a deeper post-incident review.\n\n## AI Infrastructure Is the New Attack Surface\n\nThe LiteLLM chain follows a pattern that’s accelerating. [LangGraph’s checkpointer RCE](https://byteiota.com/langgraph-rce-patch-ai-agent-checkpointers/) and the [Spring AI vector store vulnerability](https://byteiota.com/spring-ai-vector-store-rce-patch-before-june-30-eol/) both landed this week. AI infrastructure components — gateways, agent frameworks, vector stores — are now high-value targets because they sit between applications and sensitive model API credentials.\n\nThe June 22 CISA deadline is for federal agencies. Qilin ransomware is not limiting activity to .gov networks. If your LiteLLM deployment is internet-reachable and unpatched, the urgency is the same.", "url": "https://wpnews.pro/news/litellm-cve-chain-a-default-user-account-becomes-full-server-access", "canonical_source": "https://byteiota.com/litellm-cve-chain-rce-2026/", "published_at": "2026-06-17 15:10:10+00:00", "updated_at": "2026-06-17 15:30:25.933939+00:00", "lang": "en", "topics": ["ai-safety", "ai-infrastructure", "ai-tools"], "entities": ["LiteLLM", "CISA", "Obsidian Security", "Qilin", "OpenAI", "Anthropic", "Google Vertex AI", "AWS Bedrock"], "alternates": {"html": "https://wpnews.pro/news/litellm-cve-chain-a-default-user-account-becomes-full-server-access", "markdown": "https://wpnews.pro/news/litellm-cve-chain-a-default-user-account-becomes-full-server-access.md", "text": "https://wpnews.pro/news/litellm-cve-chain-a-default-user-account-becomes-full-server-access.txt", "jsonld": "https://wpnews.pro/news/litellm-cve-chain-a-default-user-account-becomes-full-server-access.jsonld"}}