SB2026050723 - Multiple vulnerabilities in LiteLLM



SB2026050723 - Multiple vulnerabilities in LiteLLM

Published: May 7, 2026 Updated: July 1, 2026

Security Bulletin ID SB2026050723
CSH Severity
High
Patch available
YES
Number of vulnerabilities 3
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

Medium 67% Low 33%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 3 vulnerabilities.


1) Improper Control of Dynamically-Managed Code Resources (CVE-ID: CVE-2026-40217)

CWE-ID: CWE-913 - Improper Control of Dynamically-Managed Code Resources

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to execute arbitrary code.

The vulnerability exists due to improper control of dynamically-managed code resources in the POST /guardrails/test_custom_code endpoint when running user-supplied Python inside a hand-rolled sandbox. A remote privileged user can submit crafted Python code to execute arbitrary code.

In default configurations, reaching the endpoint requires a proxy-admin credential. The proxy process runs as root in the default Docker image.


2) Incorrect authorization (CVE-ID: CVE-2026-47102)

CWE-ID: CWE-863 - Incorrect Authorization

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote user to escalate privileges.

The vulnerability exists due to improper access control in the /user/update endpoint when handling account update requests. A remote user can modify the user_role field in their own account record to escalate privileges.

Users with the org_admin role can access this endpoint and set their role to proxy_admin without chaining any additional vulnerability.


3) Path traversal (CVE-ID: N/A)

CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote user to write arbitrary files and potentially execute arbitrary code.

The vulnerability exists due to path traversal in Skills archive extraction when processing uploaded skill ZIP archives for execution. A remote user can upload a crafted skill archive containing path traversal entries to write arbitrary files and potentially execute arbitrary code.

Exploitation requires access to LiteLLM LLM API routes or a key whose allowed_routes includes /v1/skills, anthropic_routes, or llm_api_routes.


Remediation

Install update from vendor's website.