CVE-2026-40217 — HIGH (CVSS 8.8) AI Security Vulnerability

CISO Take

LiteLLM contains a critical remote code execution vulnerability in its guardrails testing endpoint — any user with low-level API credentials can send crafted bytecode to `/guardrails/test_custom_code` and gain full code execution on the LiteLLM server. LiteLLM is a widely deployed LLM proxy used to abstract OpenAI, Anthropic, Azure, and dozens of other providers, meaning a single compromised instance exposes all configured API keys, all proxied conversation data, and the underlying host. With CVSS 8.8, network-accessible attack vector, and low complexity, this is highly exploitable by anyone who can authenticate — including trial users, leaked credentials, or insider threats. Upgrade to a build released after 2026-04-08 immediately; if patching is blocked, use a WAF rule or reverse proxy ACL to block POST requests to `/guardrails/test_custom_code` and rotate all LLM API keys configured in the affected instance.

Sources: NVD ATLAS x41-dsec.de

Risk Assessment

High risk requiring urgent remediation. The CVSS 8.8 score is backed by realistic exploitability: network-accessible, low complexity, no user interaction needed, and only low-privilege credentials required — not an unauthenticated flaw, but in multi-tenant or SaaS LiteLLM deployments any valid API key becomes a foothold. The blast radius is broad: LiteLLM sits at the center of many enterprise AI stacks routing requests across multiple providers, making it a single point of compromise for all downstream LLM access. While no public exploit or KEV listing exists yet, the disclosed advisory from X41 D-Sec provides sufficient technical detail to enable weaponization by motivated threat actors.

Attack Kill Chain

Initial Access

Attacker obtains low-privilege LiteLLM API credentials via credential stuffing, phishing, or leaked secrets in public repositories.

AML.T0012

Exploitation

Attacker sends a crafted bytecode payload to the /guardrails/test_custom_code endpoint, triggering bytecode rewriting to achieve arbitrary code execution on the LiteLLM server.

AML.T0049

Credential Harvesting

Attacker reads process environment variables and config files to extract all configured LLM provider API keys (OpenAI, Anthropic, Azure, etc.).

AML.T0055

Impact

Attacker exfiltrates conversation logs, system prompts, and RAG data; uses harvested API keys to impersonate the victim organization across all connected LLM providers.

AML.T0025

Initial Access

Attacker obtains low-privilege LiteLLM API credentials via credential stuffing, phishing, or leaked secrets in public repositories.

AML.T0012

Exploitation

Attacker sends a crafted bytecode payload to the /guardrails/test_custom_code endpoint, triggering bytecode rewriting to achieve arbitrary code execution on the LiteLLM server.

AML.T0049

Credential Harvesting

Attacker reads process environment variables and config files to extract all configured LLM provider API keys (OpenAI, Anthropic, Azure, etc.).

AML.T0055

Impact

Attacker exfiltrates conversation logs, system prompts, and RAG data; uses harvested API keys to impersonate the victim organization across all connected LLM providers.

AML.T0025

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
litellm	pip	—	No patch
42.2K OpenSSF 5.9 2.0K dependents Pushed 5d ago 50% patched ~61d to patch Full package profile →

Do you use litellm? You're affected.

Severity & Risk

CVSS 3.1

8.8 / 10

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Moderate

Attack Surface

AV Network

AC Low

PR Low

UI None

S Unchanged

C High

I High

A High

Recommended Action

**Patch immediately**: Upgrade LiteLLM to any release after 2026-04-08 that addresses this CVE. Check the official GitHub releases and the X41 D-Sec advisory at x41-dsec.de for confirmed fixed versions. 2. **Firewall the endpoint now**: If immediate patching is blocked, configure your reverse proxy (nginx/Caddy) or WAF to return 403 on all requests matching `/guardrails/test_custom_code`. 3. **Rotate all LLM API keys**: Assume any LiteLLM instance reachable before patching may have been compromised — rotate OpenAI, Anthropic, Azure, and any other configured provider keys. 4. **Audit access logs**: Search for POST requests to `/guardrails/test_custom_code` in web server and application logs going back 90 days. 5. **Scope network access**: LiteLLM should not be internet-exposed; place behind VPN or internal load balancer with allow-listing. 6. **Disable the guardrails custom code feature** in configuration if not actively used.

Classification

Code Execution Data Extraction Inference Framework API AML.T0025 - Exfiltration via Cyber Means AML.T0049 - Exploit Public-Facing Application AML.T0050 - Command and Scripting Interpreter AML.T0055 - Unsecured Credentials

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.2.6 - AI system security

NIST AI RMF

GOVERN 1.7 - Processes for AI risk management

OWASP LLM Top 10

LLM07 - Insecure Plugin Design

Frequently Asked Questions

What is CVE-2026-40217?

LiteLLM contains a critical remote code execution vulnerability in its guardrails testing endpoint — any user with low-level API credentials can send crafted bytecode to `/guardrails/test_custom_code` and gain full code execution on the LiteLLM server. LiteLLM is a widely deployed LLM proxy used to abstract OpenAI, Anthropic, Azure, and dozens of other providers, meaning a single compromised instance exposes all configured API keys, all proxied conversation data, and the underlying host. With CVSS 8.8, network-accessible attack vector, and low complexity, this is highly exploitable by anyone who can authenticate — including trial users, leaked credentials, or insider threats. Upgrade to a build released after 2026-04-08 immediately; if patching is blocked, use a WAF rule or reverse proxy ACL to block POST requests to `/guardrails/test_custom_code` and rotate all LLM API keys configured in the affected instance.

Is CVE-2026-40217 actively exploited?

No confirmed active exploitation of CVE-2026-40217 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-40217?

1. **Patch immediately**: Upgrade LiteLLM to any release after 2026-04-08 that addresses this CVE. Check the official GitHub releases and the X41 D-Sec advisory at x41-dsec.de for confirmed fixed versions. 2. **Firewall the endpoint now**: If immediate patching is blocked, configure your reverse proxy (nginx/Caddy) or WAF to return 403 on all requests matching `/guardrails/test_custom_code`. 3. **Rotate all LLM API keys**: Assume any LiteLLM instance reachable before patching may have been compromised — rotate OpenAI, Anthropic, Azure, and any other configured provider keys. 4. **Audit access logs**: Search for POST requests to `/guardrails/test_custom_code` in web server and application logs going back 90 days. 5. **Scope network access**: LiteLLM should not be internet-exposed; place behind VPN or internal load balancer with allow-listing. 6. **Disable the guardrails custom code feature** in configuration if not actively used.

What systems are affected by CVE-2026-40217?

This vulnerability affects the following AI/ML architecture patterns: LLM proxy and gateway deployments, RAG pipelines, Agent frameworks using LiteLLM as inference layer, Multi-provider AI API management, Model serving infrastructure.

What is the CVSS score for CVE-2026-40217?

CVE-2026-40217 has a CVSS v3.1 base score of 8.8 (HIGH).

Technical Details

NVD Description

LiteLLM through 2026-04-08 allows remote attackers to execute arbitrary code via bytecode rewriting at the /guardrails/test_custom_code URI.

Exploitation Scenario

An attacker targeting an enterprise AI platform discovers a public or semi-public LiteLLM deployment used as the company's unified LLM gateway. They obtain low-privilege credentials through credential stuffing against a leaked API key list or by registering a trial account on a multi-tenant deployment. They send a crafted HTTP POST request to `/guardrails/test_custom_code` containing a malicious Python bytecode payload that, when the bytecode rewriting mechanism processes it, triggers arbitrary code execution in the LiteLLM process context. From this foothold, they enumerate environment variables to harvest every configured LLM API key (OpenAI, Anthropic, Azure, Cohere), exfiltrate the full conversation history from the LiteLLM database, and establish a reverse shell for persistent access — all without ever touching the underlying model providers directly.