CVE-2026-35029 — UNKNOWN | AI Threat Alert

CISO Take

Any authenticated LiteLLM user — not just admins — can register attacker-controlled Python handlers and achieve remote code execution on your LLM proxy host. Patch to v1.83.0 immediately and rotate all AI provider API keys stored in that environment; treat exposed instances as compromised. LiteLLM is frequently deployed as a centralized AI gateway, meaning a single exploit exposes all downstream provider credentials and model access.

What is the risk?

HIGH. The attack requires only a valid API key — the privilege bar is intentionally low in many LiteLLM deployments where multiple teams share access. The RCE vector via custom pass-through handlers is a critical-severity primitive requiring no special skill. Arbitrary file read and credential overwrite compound the impact significantly. LiteLLM proxy sits at the center of AI infrastructure in many organizations, making the blast radius organization-wide across all connected AI providers.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
litellm	pip	< 1.83.0	`1.83.0`
47.2K OpenSSF 6.1 4 dependents Pushed 3d ago 55% patched ~42d to patch Full package profile →

Do you use litellm? You're affected.

Severity & Risk

CVSS 3.1

N/A

EPSS

17.7%

chance of exploitation in 30 days

Higher than 95% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ Public PoC indexed (trickest/cve)

○ EPSS exploit prediction: 18%

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

What should I do?

6 steps

Patch immediately to litellm>=1.83.0 — this is the only definitive fix.
Rotate all AI provider API keys stored in LiteLLM environment variables (OpenAI, Anthropic, Azure, etc.) — assume credential compromise if unpatched instances had any network exposure.
Audit access logs for POST requests to /config/update from non-admin users.
Inspect registered pass-through handlers and UI_LOGO_PATH values for unauthorized modifications.
Restrict LiteLLM API key distribution to minimum necessary users while patching.
If running in a shared or multi-tenant environment, treat all provider keys as potentially leaked regardless of log evidence.

CISA SSVC Assessment

Decision Track

Exploitation none

Automatable No

Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Auth Bypass Code Execution Data Extraction Framework API Inference AML.T0012 - Valid Accounts AML.T0037 - Data from Local System AML.T0049 - Exploit Public-Facing Application AML.T0050 - Command and Scripting Interpreter AML.T0055 - Unsecured Credentials AML.T0081 - Modify AI Agent Configuration

Compliance Impact

This CVE is relevant to:

EU AI Act

Art.9 - Risk management system

ISO 42001

A.6.2 - AI system access control

NIST AI RMF

MANAGE-2.2 - Mechanisms are in place and applied to sustain the value of deployed AI systems

OWASP LLM Top 10

LLM08:2023 - Excessive Agency

Frequently Asked Questions

What is CVE-2026-35029?

Any authenticated LiteLLM user — not just admins — can register attacker-controlled Python handlers and achieve remote code execution on your LLM proxy host. Patch to v1.83.0 immediately and rotate all AI provider API keys stored in that environment; treat exposed instances as compromised. LiteLLM is frequently deployed as a centralized AI gateway, meaning a single exploit exposes all downstream provider credentials and model access.

Is CVE-2026-35029 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2026-35029, increasing the risk of exploitation.

How to fix CVE-2026-35029?

1. Patch immediately to litellm>=1.83.0 — this is the only definitive fix. 2. Rotate all AI provider API keys stored in LiteLLM environment variables (OpenAI, Anthropic, Azure, etc.) — assume credential compromise if unpatched instances had any network exposure. 3. Audit access logs for POST requests to /config/update from non-admin users. 4. Inspect registered pass-through handlers and UI_LOGO_PATH values for unauthorized modifications. 5. Restrict LiteLLM API key distribution to minimum necessary users while patching. 6. If running in a shared or multi-tenant environment, treat all provider keys as potentially leaked regardless of log evidence.

What systems are affected by CVE-2026-35029?

This vulnerability affects the following AI/ML architecture patterns: LLM proxy/gateway, model serving, agent frameworks, multi-provider AI routing, API routing layers.

What is the CVSS score for CVE-2026-35029?

No CVSS score has been assigned yet.

Technical Details

NVD Description

LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. Prior to 1.83.0, the /config/update endpoint does not enforce admin role authorization. A user who is already authenticated into the platform can then use this endpoint to modify proxy configuration and environment variables, register custom pass-through endpoint handlers pointing to attacker-controlled Python code, achieving remote code execution, read arbitrary server files by setting UI_LOGO_PATH and fetching via /get_image, and take over other privileged accounts by overwriting UI_USERNAME and UI_PASSWORD environment variables. Fixed in v1.83.0.

Exploitation Scenario

An attacker with any valid LiteLLM API key sends a POST to /config/update registering a custom Python pass-through handler pointing to attacker-controlled code (e.g., a reverse shell payload hosted on their infrastructure). The next LLM request routed through that handler triggers execution in the LiteLLM server process under its service account. With server access, the attacker dumps all environment variables containing AI provider API keys, then overwrites UI_USERNAME/UI_PASSWORD to lock out legitimate admins. The entire AI infrastructure — every model endpoint, every provider credential, every audit log — is now under attacker control. Total time from initial access to full compromise: under five minutes.