SB2026050723 - Multiple vulnerabilities in LiteLLM
Published: May 7, 2026 Updated: July 1, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 3 vulnerabilities.
1) Improper Control of Dynamically-Managed Code Resources (CVE-ID: CVE-2026-40217)
CWE-ID: CWE-913 - Improper Control of Dynamically-Managed Code Resources
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to execute arbitrary code.
The vulnerability exists due to improper control of dynamically-managed code resources in the POST /guardrails/test_custom_code endpoint when running user-supplied Python inside a hand-rolled sandbox. A remote privileged user can submit crafted Python code to execute arbitrary code.
In default configurations, reaching the endpoint requires a proxy-admin credential. The proxy process runs as root in the default Docker image.
2) Incorrect authorization (CVE-ID: CVE-2026-47102)
CWE-ID: CWE-863 - Incorrect Authorization
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote user to escalate privileges.
The vulnerability exists due to improper access control in the /user/update endpoint when handling account update requests. A remote user can modify the user_role field in their own account record to escalate privileges.
Users with the org_admin role can access this endpoint and set their role to proxy_admin without chaining any additional vulnerability.
3) Path traversal (CVE-ID: N/A)
CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote user to write arbitrary files and potentially execute arbitrary code.
The vulnerability exists due to path traversal in Skills archive extraction when processing uploaded skill ZIP archives for execution. A remote user can upload a crafted skill archive containing path traversal entries to write arbitrary files and potentially execute arbitrary code.
Exploitation requires access to LiteLLM LLM API routes or a key whose allowed_routes includes /v1/skills, anthropic_routes, or llm_api_routes.
Remediation
Install update from vendor's website.