Vulnerability  ·  2026-07-02

LiteLLM AI Gateway — Three-CVE RCE Chain: Default Internal User Can Escalate to Admin and Execute Arbitrary Code

VulnerabilityHigh impactGlobal
SecureLayer7 Lab published the three-CVE RCE chain on June 29–30, 2026 (article published 2026-06-29T13:31:46, modified 2026-06-30). The chain collapses the gap between 'default internal user' and 'RCE on the LiteLLM host' into a single Python script making three HTTP calls. LiteLLM's Metasploit module was also updated to include SQL injection and auth-bypass modules. The vulnerability was also flagged in the Top CVEs of June 2026 list by Security Boulevard.
LiteLLM is deployed as an AI gateway by enterprises routing traffic for all their LLM applications. RCE on the LiteLLM proxy means an attacker controls the routing layer for all upstream LLM calls — enabling prompt injection at scale, credential theft for every configured LLM provider, response tampering, and full model traffic interception. This is a true AI supply-chain attack vector.
Step 1 (CVE-2026-47101): POST /key/generate with allowed_routes: ['/*'] upgrades a default internal_user key to a wildcard-access key. Step 2 (CVE-2026-49468): Host header injection in LiteLLM's proxy auth layer bypasses admin role checks. Step 3 (CVE-2026-35029): The /config/update endpoint lacks admin role enforcement, allowing environment variable and config mutation leading to RCE. The entire chain executes in under 2 seconds with 3 HTTP requests from a default-permission internal user.
LiteLLM proxy before 1.84.0 (three-CVE chain: CVE-2026-47101, CVE-2026-49468, CVE-2026-35029)
Upgrade to LiteLLM 1.84.0 or later. SecureLayer7 advisory: https://blog.securelayer7.net/litellm-three-cve-rce-ai-supply-chain-attack
Sources
SecureLayer7 Lab — LiteLLM RCE Chain: Three CVEs Enable AI Supply Chain AttackSecurity Boulevard — Top CVEs of June 2026
See this in the live feed Explore related AI security and governance findings — updated every morning.
Open the feed →