What happened
SecureLayer7 Lab published the three-CVE RCE chain on June 29–30, 2026 (article published 2026-06-29T13:31:46, modified 2026-06-30). The chain collapses the gap between 'default internal user' and 'RCE on the LiteLLM host' into a single Python script making three HTTP calls. LiteLLM's Metasploit module was also updated to include SQL injection and auth-bypass modules. The vulnerability was also flagged in the Top CVEs of June 2026 list by Security Boulevard.
Why it matters
LiteLLM is deployed as an AI gateway by enterprises routing traffic for all their LLM applications. RCE on the LiteLLM proxy means an attacker controls the routing layer for all upstream LLM calls — enabling prompt injection at scale, credential theft for every configured LLM provider, response tampering, and full model traffic interception. This is a true AI supply-chain attack vector.
Attack vector
Step 1 (CVE-2026-47101): POST /key/generate with allowed_routes: ['/*'] upgrades a default internal_user key to a wildcard-access key. Step 2 (CVE-2026-49468): Host header injection in LiteLLM's proxy auth layer bypasses admin role checks. Step 3 (CVE-2026-35029): The /config/update endpoint lacks admin role enforcement, allowing environment variable and config mutation leading to RCE. The entire chain executes in under 2 seconds with 3 HTTP requests from a default-permission internal user.
Affected systems
LiteLLM proxy before 1.84.0 (three-CVE chain: CVE-2026-47101, CVE-2026-49468, CVE-2026-35029)
Mitigation
Upgrade to LiteLLM 1.84.0 or later. SecureLayer7 advisory: https://blog.securelayer7.net/litellm-three-cve-rce-ai-supply-chain-attack