◈ AI Security Intelligence ← Daily feed
Vulnerability  ·  2026-06-18

LiteLLM Low-Privilege → Admin → RCE Privilege Escalation Chain (CVSS 9.9, Obsidian Security)

VulnerabilityHigh impactGlobalCVE-2026-47101
What happened
Obsidian Security disclosed a CVSS 9.9 three-vulnerability chain in LiteLLM on June 11, 2026, responsibly reported to BerriAI in February 2026 and fully patched in v1.83.14-stable. CVE-2026-47101 allows any internal user to mint an API key with wildcard route access; CVE-2026-47102 allows self-promotion to proxy_admin via an unprotected user_role field; CVE-2026-40217 allows RCE through the Custom Code Guardrail's unsandboxed exec() call. Additionally, Obsidian demonstrated a novel response-injection attack: a compromised proxy can silently rewrite model responses in transit using built-in callbacks, injecting malicious tool calls that never reach the model, bypassing prompt injection defenses entirely.
Why it matters
This chain demonstrates that AI gateways, long treated as passive middleware, are now first-class attack targets. Beyond credential theft, the response-injection technique is qualitatively new: it does not manipulate the LLM — it intercepts the wire between the model and the agent, converting the gateway into an agent hijacking device. Every agent routing through a compromised LiteLLM proxy can be silently redirected. The blast radius includes all downstream AI agent workflows, CI/CD pipelines using AI-assisted code review, and MCP-connected tools.
Attack vector
Three-step chain from a default low-privilege internal_user account: (1) CVE-2026-47101 — create an API key with allowed_routes:["/*"] to bypass route-level RBAC; (2) CVE-2026-47102 — POST user_role:"proxy_admin" to /user/update to self-promote to full admin; (3) CVE-2026-40217 — use the Custom Code Guardrail exec() endpoint (no builtins filtering) to pop a reverse shell. Obsidian also demonstrated response-injection against Claude Code routed through the compromised proxy — injecting a malicious tool call that delivered a reverse shell on a developer machine from a single 'hello' prompt.
Affected systems
BerriAI LiteLLM < 1.83.14-stable (CVE-2026-47101, CVE-2026-47102, CVE-2026-40217)
Mitigation
Upgrade to LiteLLM ≥1.83.14-stable (all three CVEs patched). Published by Obsidian Security on June 11, 2026; reported to BerriAI in February 2026.
Sources
Obsidian Security — Breaking LiteLLM (primary advisory, verified full text)latesthackingnews.com — LiteLLM Vulnerability Chain analysis (verified full text)The Hacker News — LiteLLM Vulnerability Chain Lets Low-Privilege Users Take Over AI Gateway Servers
See this in the live feed Explore related AI security and governance findings — updated every morning.
Open the feed →