Technical description
LiteLLM, a widely-used AI gateway and proxy for managing LLM API requests, contains an authorization bypass vulnerability prior to version 1.83.10. The /user/update endpoint correctly restricts users to updating only their own account but does not restrict which fields may be changed. An authenticated user can modify their own user_role field to proxy_admin, gaining full administrative privileges over the LiteLLM instance. CVSS 3.1 score: 8.8 (High).
Attack vector
An authenticated user with a valid session sends a crafted request to the /user/update endpoint, setting their user_role field to proxy_admin. Because the endpoint validates only that the user is updating their own account and not which fields are being modified, the privilege escalation succeeds. The attacker gains full control over LiteLLM's routing, model access, API keys, and configuration.
Affected systems
LiteLLM versions prior to 1.83.10. Organizations using LiteLLM as an AI gateway to manage access to OpenAI, Anthropic, Google, Azure OpenAI and other LLM providers.
Mitigation
Upgrade to LiteLLM 1.83.10 or later immediately. Review audit logs for unexpected user_role changes or privilege escalation activity. Rotate API keys and credentials if compromise is suspected. Implement least-privilege access controls and separate administrative functions from user self-service endpoints.