CVE-2026-35029: LiteLLM: auth bypass allows RCE and full takeover

GHSA-53mr-6c8q-9789 HIGH PoC AVAILABLE NUCLEI TEMPLATE
Published April 3, 2026
CISO Take

Any authenticated LiteLLM user — not just admins — can register attacker-controlled Python handlers and achieve remote code execution on your LLM proxy host. Patch to v1.83.0 immediately and rotate all AI provider API keys stored in that environment; treat exposed instances as compromised. LiteLLM is frequently deployed as a centralized AI gateway, meaning a single exploit exposes all downstream provider credentials and model access.

What is the risk?

HIGH. The attack requires only a valid API key — the privilege bar is intentionally low in many LiteLLM deployments where multiple teams share access. The RCE vector via custom pass-through handlers is a critical-severity primitive requiring no special skill. Arbitrary file read and credential overwrite compound the impact significantly. LiteLLM proxy sits at the center of AI infrastructure in many organizations, making the blast radius organization-wide across all connected AI providers.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
LiteLLM pip < 1.83.0 1.83.0
51.8K OpenSSF 6.0 6 dependents Pushed 6d ago 46% patched ~48d to patch Full package profile →

Do you use LiteLLM? You're affected.

How severe is it?

CVSS 3.1
8.8 / 10
EPSS
26.4%
chance of exploitation in 30 days
Higher than 98% of all CVEs
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
Public PoC indexed (trickest/cve)
Nuclei detection template available
EPSS exploit prediction: 26%
Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR Low
UI None
S Unchanged
C High
I High
A High

What should I do?

6 steps
  1. Patch immediately to litellm>=1.83.0 — this is the only definitive fix.

  2. Rotate all AI provider API keys stored in LiteLLM environment variables (OpenAI, Anthropic, Azure, etc.) — assume credential compromise if unpatched instances had any network exposure.

  3. Audit access logs for POST requests to /config/update from non-admin users.

  4. Inspect registered pass-through handlers and UI_LOGO_PATH values for unauthorized modifications.

  5. Restrict LiteLLM API key distribution to minimum necessary users while patching.

  6. If running in a shared or multi-tenant environment, treat all provider keys as potentially leaked regardless of log evidence.

What does CISA's SSVC say?

Decision Track
Exploitation none
Automatable No
Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Art.9 - Risk management system
ISO 42001
A.6.2 - AI system access control
NIST AI RMF
MANAGE-2.2 - Mechanisms are in place and applied to sustain the value of deployed AI systems
OWASP LLM Top 10
LLM08:2023 - Excessive Agency

Frequently Asked Questions

What is CVE-2026-35029?

Any authenticated LiteLLM user — not just admins — can register attacker-controlled Python handlers and achieve remote code execution on your LLM proxy host. Patch to v1.83.0 immediately and rotate all AI provider API keys stored in that environment; treat exposed instances as compromised. LiteLLM is frequently deployed as a centralized AI gateway, meaning a single exploit exposes all downstream provider credentials and model access.

Is CVE-2026-35029 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2026-35029, increasing the risk of exploitation.

How to fix CVE-2026-35029?

1. Patch immediately to litellm>=1.83.0 — this is the only definitive fix. 2. Rotate all AI provider API keys stored in LiteLLM environment variables (OpenAI, Anthropic, Azure, etc.) — assume credential compromise if unpatched instances had any network exposure. 3. Audit access logs for POST requests to /config/update from non-admin users. 4. Inspect registered pass-through handlers and UI_LOGO_PATH values for unauthorized modifications. 5. Restrict LiteLLM API key distribution to minimum necessary users while patching. 6. If running in a shared or multi-tenant environment, treat all provider keys as potentially leaked regardless of log evidence.

What systems are affected by CVE-2026-35029?

This vulnerability affects the following AI/ML architecture patterns: LLM proxy/gateway, model serving, agent frameworks, multi-provider AI routing, API routing layers.

What is the CVSS score for CVE-2026-35029?

CVE-2026-35029 has a CVSS v3.1 base score of 8.8 (HIGH). The EPSS exploitation probability is 26.41%.

What is the AI security impact?

Affected AI Architectures

LLM proxy/gatewaymodel servingagent frameworksmulti-provider AI routingAPI routing layers

MITRE ATLAS Techniques

AML.T0012 Valid Accounts
AML.T0037 Data from Local System
AML.T0049 Exploit Public-Facing Application
AML.T0050 Command and Scripting Interpreter
AML.T0055 Unsecured Credentials
AML.T0081 Modify AI Agent Configuration

Compliance Controls Affected

EU AI Act: Art.9
ISO 42001: A.6.2
NIST AI RMF: MANAGE-2.2
OWASP LLM Top 10: LLM08:2023

What are the technical details?

Original Advisory

LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. Prior to 1.83.0, the /config/update endpoint does not enforce admin role authorization. A user who is already authenticated into the platform can then use this endpoint to modify proxy configuration and environment variables, register custom pass-through endpoint handlers pointing to attacker-controlled Python code, achieving remote code execution, read arbitrary server files by setting UI_LOGO_PATH and fetching via /get_image, and take over other privileged accounts by overwriting UI_USERNAME and UI_PASSWORD environment variables. Fixed in v1.83.0.

Exploitation Scenario

An attacker with any valid LiteLLM API key sends a POST to /config/update registering a custom Python pass-through handler pointing to attacker-controlled code (e.g., a reverse shell payload hosted on their infrastructure). The next LLM request routed through that handler triggers execution in the LiteLLM server process under its service account. With server access, the attacker dumps all environment variables containing AI provider API keys, then overwrites UI_USERNAME/UI_PASSWORD to lock out legitimate admins. The entire AI infrastructure — every model endpoint, every provider credential, every audit log — is now under attacker control. Total time from initial access to full compromise: under five minutes.

Weaknesses (CWE)

CWE-863 — Incorrect Authorization: The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

  • [Architecture and Design] Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries. Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
  • [Architecture and Design] Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Timeline

Published
April 3, 2026
Last Modified
June 30, 2026
First Seen
April 4, 2026

Scanner Template Available

A Nuclei vulnerability scanner template exists for this CVE. You can scan your infrastructure for this vulnerability immediately.

View template on GitHub
nuclei -t http/cves/2026/CVE-2026-35029.yaml -u https://target.example.com

Related Vulnerabilities