What happened
Obsidian Security disclosed on 2026-06-15 a three-step privilege-escalation chain: authorization bypass in key creation → privilege escalation via unguarded user update endpoint → sandbox escape via unfiltered exec(). Combined CVSS 9.9. Demonstrated MCP callback injection to hijack Claude Code responses in transit.
Why it matters
A default low-privilege internal user can climb to proxy admin and inject malicious callbacks into AI agent responses. A developer using Claude Code through a compromised LiteLLM instance receives code suggestions that have been silently altered by an attacker, inserting backdoors or credentials with developer trust.
Attack vector
(1) CVE-2026-47101: auth bypass allows low-privilege user to mint wildcard API key with /*/allowed_routes; (2) CVE-2026-47102: /user/update endpoint accepts self-promotion to proxy_admin; (3) CVE-2026-40217: Custom Code Guardrail executes arbitrary Python via exec() with no sandbox; together: low-privilege → full admin RCE + MCP callback hijacking
Affected systems
LiteLLM < 1.83.14-stable; all versions 1.74.2+ to 1.83.13 affected by full chain
Mitigation
Upgrade to LiteLLM 1.83.14-stable or later (patch available since 2026-05-02); patch gap is 6+ weeks—treat unpatched instances as exploited; rotate all stored credentials