AI Threat Alert

CVE-2026-40217: LiteLLM: RCE via bytecode rewriting in guardrails API

GHSA-wxxx-gvqv-xp7p HIGH PoC AVAILABLE CISA: ATTEND
Published April 10, 2026
CISO Take

LiteLLM contains a critical remote code execution vulnerability in its guardrails testing endpoint — any user with low-level API credentials can send crafted bytecode to `/guardrails/test_custom_code` and gain full code execution on the LiteLLM server. LiteLLM is a widely deployed LLM proxy used to abstract OpenAI, Anthropic, Azure, and dozens of other providers, meaning a single compromised instance exposes all configured API keys, all proxied conversation data, and the underlying host. With CVSS 8.8, network-accessible attack vector, and low complexity, this is highly exploitable by anyone who can authenticate — including trial users, leaked credentials, or insider threats. Upgrade to a build released after 2026-04-08 immediately; if patching is blocked, use a WAF rule or reverse proxy ACL to block POST requests to `/guardrails/test_custom_code` and rotate all LLM API keys configured in the affected instance.

Sources: NVD ATLAS x41-dsec.de

What is the risk?

High risk requiring urgent remediation. The CVSS 8.8 score is backed by realistic exploitability: network-accessible, low complexity, no user interaction needed, and only low-privilege credentials required — not an unauthenticated flaw, but in multi-tenant or SaaS LiteLLM deployments any valid API key becomes a foothold. The blast radius is broad: LiteLLM sits at the center of many enterprise AI stacks routing requests across multiple providers, making it a single point of compromise for all downstream LLM access. While no public exploit or KEV listing exists yet, the disclosed advisory from X41 D-Sec provides sufficient technical detail to enable weaponization by motivated threat actors.

Attack Kill Chain

Initial Access
Attacker obtains low-privilege LiteLLM API credentials via credential stuffing, phishing, or leaked secrets in public repositories.
AML.T0012
Exploitation
Attacker sends a crafted bytecode payload to the /guardrails/test_custom_code endpoint, triggering bytecode rewriting to achieve arbitrary code execution on the LiteLLM server.
AML.T0049
Credential Harvesting
Attacker reads process environment variables and config files to extract all configured LLM provider API keys (OpenAI, Anthropic, Azure, etc.).
AML.T0055
Impact
Attacker exfiltrates conversation logs, system prompts, and RAG data; uses harvested API keys to impersonate the victim organization across all connected LLM providers.
AML.T0025

What systems are affected?

Package Ecosystem Vulnerable Range Patched
litellm pip >= 1.81.8, < 1.83.10 1.83.10
48.0K OpenSSF 6.1 6 dependents Pushed yesterday 50% patched ~42d to patch Full package profile →

Do you use litellm? You're affected.

Severity & Risk

CVSS 3.1
8.8 / 10
EPSS
0.1%
chance of exploitation in 30 days
Higher than 27% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Moderate
Exploitation Confidence
medium
CISA SSVC: Public PoC
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV AC PR UI S C I A
AV Network
AC Low
PR Low
UI None
S Unchanged
C High
I High
A High

What should I do?

6 steps

  1. Patch immediately

    Upgrade LiteLLM to any release after 2026-04-08 that addresses this CVE. Check the official GitHub releases and the X41 D-Sec advisory at x41-dsec.de for confirmed fixed versions.

  2. Firewall the endpoint now

    If immediate patching is blocked, configure your reverse proxy (nginx/Caddy) or WAF to return 403 on all requests matching /guardrails/test_custom_code.

  3. Rotate all LLM API keys

    Assume any LiteLLM instance reachable before patching may have been compromised — rotate OpenAI, Anthropic, Azure, and any other configured provider keys.

  4. Audit access logs

    Search for POST requests to /guardrails/test_custom_code in web server and application logs going back 90 days.

  5. Scope network access

    LiteLLM should not be internet-exposed; place behind VPN or internal load balancer with allow-listing.

  6. Disable the guardrails custom code feature in configuration if not actively used.

CISA SSVC Assessment

Decision Attend
Exploitation poc
Automatable No
Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Code Execution Data Extraction Inference Framework API AML.T0025 AML.T0049 AML.T0050 AML.T0055

Compliance Impact

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, robustness and cybersecurity
ISO 42001
A.6.2.6 - AI system security
NIST AI RMF
GOVERN 1.7 - Processes for AI risk management
OWASP LLM Top 10
LLM07 - Insecure Plugin Design

Frequently Asked Questions

What is CVE-2026-40217?

LiteLLM contains a critical remote code execution vulnerability in its guardrails testing endpoint — any user with low-level API credentials can send crafted bytecode to `/guardrails/test_custom_code` and gain full code execution on the LiteLLM server. LiteLLM is a widely deployed LLM proxy used to abstract OpenAI, Anthropic, Azure, and dozens of other providers, meaning a single compromised instance exposes all configured API keys, all proxied conversation data, and the underlying host. With CVSS 8.8, network-accessible attack vector, and low complexity, this is highly exploitable by anyone who can authenticate — including trial users, leaked credentials, or insider threats. Upgrade to a build released after 2026-04-08 immediately; if patching is blocked, use a WAF rule or reverse proxy ACL to block POST requests to `/guardrails/test_custom_code` and rotate all LLM API keys configured in the affected instance.

Is CVE-2026-40217 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2026-40217, increasing the risk of exploitation.

How to fix CVE-2026-40217?

1. **Patch immediately**: Upgrade LiteLLM to any release after 2026-04-08 that addresses this CVE. Check the official GitHub releases and the X41 D-Sec advisory at x41-dsec.de for confirmed fixed versions. 2. **Firewall the endpoint now**: If immediate patching is blocked, configure your reverse proxy (nginx/Caddy) or WAF to return 403 on all requests matching `/guardrails/test_custom_code`. 3. **Rotate all LLM API keys**: Assume any LiteLLM instance reachable before patching may have been compromised — rotate OpenAI, Anthropic, Azure, and any other configured provider keys. 4. **Audit access logs**: Search for POST requests to `/guardrails/test_custom_code` in web server and application logs going back 90 days. 5. **Scope network access**: LiteLLM should not be internet-exposed; place behind VPN or internal load balancer with allow-listing. 6. **Disable the guardrails custom code feature** in configuration if not actively used.

What systems are affected by CVE-2026-40217?

This vulnerability affects the following AI/ML architecture patterns: LLM proxy and gateway deployments, RAG pipelines, Agent frameworks using LiteLLM as inference layer, Multi-provider AI API management, Model serving infrastructure.

What is the CVSS score for CVE-2026-40217?

CVE-2026-40217 has a CVSS v3.1 base score of 8.8 (HIGH). The EPSS exploitation probability is 0.10%.

AI Security Impact

Affected AI Architectures

LLM proxy and gateway deploymentsRAG pipelinesAgent frameworks using LiteLLM as inference layerMulti-provider AI API managementModel serving infrastructure

MITRE ATLAS Techniques

AML.T0025 Exfiltration via Cyber Means
AML.T0049 Exploit Public-Facing Application
AML.T0050 Command and Scripting Interpreter
AML.T0055 Unsecured Credentials

Compliance Controls Affected

EU AI Act: Article 15
ISO 42001: A.6.2.6
NIST AI RMF: GOVERN 1.7
OWASP LLM Top 10: LLM07

Technical Details

Original Advisory

LiteLLM through 2026-04-08 allows remote attackers to execute arbitrary code via bytecode rewriting at the /guardrails/test_custom_code URI.

Exploitation Scenario

An attacker targeting an enterprise AI platform discovers a public or semi-public LiteLLM deployment used as the company's unified LLM gateway. They obtain low-privilege credentials through credential stuffing against a leaked API key list or by registering a trial account on a multi-tenant deployment. They send a crafted HTTP POST request to `/guardrails/test_custom_code` containing a malicious Python bytecode payload that, when the bytecode rewriting mechanism processes it, triggers arbitrary code execution in the LiteLLM process context. From this foothold, they enumerate environment variables to harvest every configured LLM API key (OpenAI, Anthropic, Azure, Cohere), exfiltrate the full conversation history from the LiteLLM database, and establish a reverse shell for persistent access — all without ever touching the underlying model providers directly.

Weaknesses (CWE)

CWE-420 Primary CWE-420 Unprotected Alternate Channel Primary CWE-913 Improper Control of Dynamically-Managed Code Resources Primary

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References

Timeline

Published
April 10, 2026
Last Modified
May 11, 2026
First Seen
April 10, 2026

Related Vulnerabilities

CRITICAL CVE-2026-42208 9.8

LiteLLM: SQL injection exposes LLM API credentials

Same package: litellm
CRITICAL CVE-2026-35030 9.1

LiteLLM: auth bypass via JWT cache key collision

Same package: litellm
HIGH CVE-2024-6825 8.8

LiteLLM: RCE via post_call_rules callback injection

Same package: litellm
HIGH CVE-2026-42203 8.8

LiteLLM: SSTI in prompt template endpoint enables RCE

Same package: litellm
HIGH CVE-2026-42271 8.8

LiteLLM: RCE via MCP test endpoint command injection

Same package: litellm
Back to Threat Feed