◈ AI Security Intelligence ← Daily feed
Vulnerability  ·  2026-06-21

LiteLLM CVE-2026-47101/47102/40217 Privilege Escalation Chain to RCE (CVSS 9.9)

VulnerabilityHigh impactGlobalCVE-2026-47101, CVE-2026-47102, CVE-2026-40217
What happened
Obsidian Security disclosed on June 15, 2026, a four-vulnerability chain in LiteLLM with combined CVSS 9.9. The chain allows a low-privilege user to escalate to full admin and achieve remote code execution. A separate fifth vulnerability (CVE-2026-42271, MCP command injection) was added to CISA's Known Exploited Vulnerabilities catalog in June 2026 with a June 22 remediation deadline, indicating active exploitation.
Why it matters
LiteLLM is a critical AI infrastructure component that routes requests between organizations' applications and multiple LLM providers. It holds upstream provider credentials, issues virtual API keys, logs all prompts and responses, executes guardrails, and proxies agent traffic. Compromise of LiteLLM grants attackers access to every AI interaction in an organization, including the ability to silently modify Claude Code responses in transit—inserting backdoors, removing security checks, and exfiltrating data. The patch was available 6 weeks before disclosure, but unpatched instances remain exploitable.
Attack vector
Step 1 (CVE-2026-47101): authenticated low-privilege user creates/updates virtual API key with unrestricted `allowed_routes` wildcard, bypassing route authorization checks. Step 2 (CVE-2026-47102): attacker reaches `/user/update` endpoint and self-promotes to `proxy_admin` role. Step 3 (CVE-2026-40217): admin panel callback configuration field accepts Python code executed via unfiltered `exec()`, allowing arbitrary code execution. Step 4 (CVE-2026-42271, separate): MCP command injection in test endpoints allows attacker to spawn arbitrary host commands as the LiteLLM process, enabling response hijacking of Claude Code and other downstream agents.
Affected systems
LiteLLM < 1.83.14-stable (patch available since May 2, 2026)
Mitigation
Upgrade to LiteLLM 1.83.14-stable or later immediately; rotate all provider API keys (OpenAI, Anthropic, Azure, AWS Bedrock); audit all proxy_admin accounts; disable Custom Code Guardrails if unused; block MCP REST test endpoints at network perimeter
Sources
Penligent - LiteLLM Vulnerability Chain AnalysisVentureBeat - LiteLLM Copilot Hijack AnalysisAdyog Pulse - LiteLLM CVSS 9.9 Chain
See this in the live feed Explore related AI security and governance findings — updated every morning.
Open the feed →