What happened
Obsidian Security disclosed on June 15, 2026, a three-CVE chain in LiteLLM achieving CVSS 9.9. Default low-privilege users could escalate to admin in minutes through a series of credential and authorization bypasses. Once admin, full RCE is trivial.
Why it matters
This affects deployments where developers or internal services have credentials but should have restricted permissions. It demonstrates that LiteLLM's authorization model is fundamentally broken and that any authenticated access to the gateway can lead to complete compromise.
Attack vector
An attacker with default low-privilege 'internal_user' credentials or any authenticated user escalates to full admin through three chained vulnerabilities. The first flaw allows a non-admin to create an API key with allowed_routes wildcard ('/*') that should be restricted. The second flaw treats the allowed_routes field as a fallback grant. The third allows self-promotion to proxy_admin role. From admin, arbitrary code execution follows via the MCP endpoint.
Affected systems
LiteLLM 1.74.2 through 1.83.13; chained vulnerabilities CVE-2026-47101, CVE-2026-47102, CVE-2026-40217
Mitigation
Upgrade to LiteLLM 1.83.14-stable or later. Implement role-based access controls and audit key creation permissions. Monitor for suspicious privilege escalation patterns.