CVE-2026-35029: LiteLLM: auth bypass allows RCE and full takeover
GHSA-53mr-6c8q-9789 HIGH PoC AVAILABLE NUCLEI TEMPLATEAny authenticated LiteLLM user — not just admins — can register attacker-controlled Python handlers and achieve remote code execution on your LLM proxy host. Patch to v1.83.0 immediately and rotate all AI provider API keys stored in that environment; treat exposed instances as compromised. LiteLLM is frequently deployed as a centralized AI gateway, meaning a single exploit exposes all downstream provider credentials and model access.
What is the risk?
HIGH. The attack requires only a valid API key — the privilege bar is intentionally low in many LiteLLM deployments where multiple teams share access. The RCE vector via custom pass-through handlers is a critical-severity primitive requiring no special skill. Arbitrary file read and credential overwrite compound the impact significantly. LiteLLM proxy sits at the center of AI infrastructure in many organizations, making the blast radius organization-wide across all connected AI providers.
What systems are affected?
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| LiteLLM | pip | < 1.83.0 | 1.83.0 |
Do you use LiteLLM? You're affected.
How severe is it?
What is the attack surface?
What should I do?
6 steps-
Patch immediately to litellm>=1.83.0 — this is the only definitive fix.
-
Rotate all AI provider API keys stored in LiteLLM environment variables (OpenAI, Anthropic, Azure, etc.) — assume credential compromise if unpatched instances had any network exposure.
-
Audit access logs for POST requests to /config/update from non-admin users.
-
Inspect registered pass-through handlers and UI_LOGO_PATH values for unauthorized modifications.
-
Restrict LiteLLM API key distribution to minimum necessary users while patching.
-
If running in a shared or multi-tenant environment, treat all provider keys as potentially leaked regardless of log evidence.
What does CISA's SSVC say?
Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.
How is it classified?
Which compliance frameworks are affected?
This CVE is relevant to:
Frequently Asked Questions
What is CVE-2026-35029?
Any authenticated LiteLLM user — not just admins — can register attacker-controlled Python handlers and achieve remote code execution on your LLM proxy host. Patch to v1.83.0 immediately and rotate all AI provider API keys stored in that environment; treat exposed instances as compromised. LiteLLM is frequently deployed as a centralized AI gateway, meaning a single exploit exposes all downstream provider credentials and model access.
Is CVE-2026-35029 actively exploited?
Proof-of-concept exploit code is publicly available for CVE-2026-35029, increasing the risk of exploitation.
How to fix CVE-2026-35029?
1. Patch immediately to litellm>=1.83.0 — this is the only definitive fix. 2. Rotate all AI provider API keys stored in LiteLLM environment variables (OpenAI, Anthropic, Azure, etc.) — assume credential compromise if unpatched instances had any network exposure. 3. Audit access logs for POST requests to /config/update from non-admin users. 4. Inspect registered pass-through handlers and UI_LOGO_PATH values for unauthorized modifications. 5. Restrict LiteLLM API key distribution to minimum necessary users while patching. 6. If running in a shared or multi-tenant environment, treat all provider keys as potentially leaked regardless of log evidence.
What systems are affected by CVE-2026-35029?
This vulnerability affects the following AI/ML architecture patterns: LLM proxy/gateway, model serving, agent frameworks, multi-provider AI routing, API routing layers.
What is the CVSS score for CVE-2026-35029?
CVE-2026-35029 has a CVSS v3.1 base score of 8.8 (HIGH). The EPSS exploitation probability is 26.41%.
What is the AI security impact?
Affected AI Architectures
MITRE ATLAS Techniques
AML.T0012 Valid Accounts AML.T0037 Data from Local System AML.T0049 Exploit Public-Facing Application AML.T0050 Command and Scripting Interpreter AML.T0055 Unsecured Credentials AML.T0081 Modify AI Agent Configuration Compliance Controls Affected
What are the technical details?
Original Advisory
LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. Prior to 1.83.0, the /config/update endpoint does not enforce admin role authorization. A user who is already authenticated into the platform can then use this endpoint to modify proxy configuration and environment variables, register custom pass-through endpoint handlers pointing to attacker-controlled Python code, achieving remote code execution, read arbitrary server files by setting UI_LOGO_PATH and fetching via /get_image, and take over other privileged accounts by overwriting UI_USERNAME and UI_PASSWORD environment variables. Fixed in v1.83.0.
Exploitation Scenario
An attacker with any valid LiteLLM API key sends a POST to /config/update registering a custom Python pass-through handler pointing to attacker-controlled code (e.g., a reverse shell payload hosted on their infrastructure). The next LLM request routed through that handler triggers execution in the LiteLLM server process under its service account. With server access, the attacker dumps all environment variables containing AI provider API keys, then overwrites UI_USERNAME/UI_PASSWORD to lock out legitimate admins. The entire AI infrastructure — every model endpoint, every provider credential, every audit log — is now under attacker control. Total time from initial access to full compromise: under five minutes.
Weaknesses (CWE)
CWE-863 Incorrect Authorization
Primary
CWE-863 Incorrect Authorization
Primary
CWE-863 Incorrect Authorization CWE-863 — Incorrect Authorization: The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
- [Architecture and Design] Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries. Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
- [Architecture and Design] Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].
Source: MITRE CWE corpus.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H References
Timeline
Scanner Template Available
A Nuclei vulnerability scanner template exists for this CVE. You can scan your infrastructure for this vulnerability immediately.
View template on GitHubnuclei -t http/cves/2026/CVE-2026-35029.yaml -u https://target.example.com Related Vulnerabilities
CVE-2026-42208 9.8 LiteLLM: SQL injection exposes LLM API credentials
Same package: litellm CVE-2026-54352 9.6 Budibase: zip symlink bypass exposes all server secrets
Same package: litellm CVE-2026-35030 9.1 LiteLLM: auth bypass via JWT cache key collision
Same package: litellm CVE-2026-40217 8.8 LiteLLM: RCE via bytecode rewriting in guardrails API
Same package: litellm CVE-2024-6825 8.8 LiteLLM: RCE via post_call_rules callback injection
Same package: litellm