CVE-2026-47101: LiteLLM: RBAC bypass enables proxy admin escalation

GHSA-qrc4-49gv-mv9m HIGH PoC AVAILABLE CISA: ATTEND
Published May 21, 2026
CISO Take

LiteLLM's API key generation endpoint fails to validate that requested route permissions fall within the requesting user's own role scope, allowing any authenticated internal_user to craft a key granting access to admin-only proxy routes. With a CVSS 8.8 score, low attack complexity, and no user interaction required, exploitation is trivial for any user with even basic platform access — think contractors, developers, or compromised service accounts with internal_user role. Although no public exploit exists and this is not in CISA KEV, the blast radius is severe: a compromised LiteLLM proxy admin can rotate or exfiltrate all downstream LLM provider API credentials (OpenAI, Anthropic, Azure OpenAI), manipulate model routing, and intercept all inference traffic across the organization's AI stack. Upgrade to LiteLLM v1.83.14-stable immediately and audit all existing API keys for anomalous allowed_routes grants.

Sources: NVD GitHub Advisory ATLAS huntr.com vulncheck.com

What is the risk?

High-risk due to CVSS 8.8 combined with minimal exploitation requirements: network-accessible, low privilege, no user interaction. Any authenticated internal_user — including those with read-only access, compromised accounts, or insider threats — can escalate to full proxy_admin. LiteLLM is deployed as a centralized AI gateway in enterprise environments, making it a high-value lateral movement pivot: admin access exposes all connected LLM provider API keys, routing configurations, spend data, and organizational model usage patterns. No public exploit exists at time of writing, but the attack pattern is straightforward enough that weaponization is likely within days of public disclosure given a huntr.com bounty report is publicly linked.

How does the attack unfold?

Initial Access
Attacker authenticates to the LiteLLM proxy as a valid internal_user, obtaining credentials via phishing, credential stuffing, or a compromised developer/contractor account.
AML.T0012
Privilege Escalation
Attacker sends POST /key/generate with admin-only routes embedded in allowed_routes; LiteLLM stores the key without validating route scope against the caller's role, issuing a proxy_admin-level key.
AML.T0049
Authorization Bypass
Attacker presents the crafted API key as an application access token to admin-only endpoints (/user/new, /model/new, /global/spend/logs), bypassing RBAC controls that would otherwise block the requests.
AML.T0091.000
Impact: Credential Harvest and Infrastructure Control
Attacker exfiltrates all downstream LLM provider API keys, creates backdoor admin accounts for persistence, and manipulates model routing to intercept or redirect all organizational AI inference traffic.
AML.T0055

What systems are affected?

Package Ecosystem Vulnerable Range Patched
LiteLLM pip < 1.83.14 1.83.14
52.6K OpenSSF 6.0 6 dependents Pushed 5d ago 43% patched ~49d to patch Full package profile →

Do you use LiteLLM? You're affected.

How severe is it?

CVSS 3.1
8.8 / 10
EPSS
0.7%
chance of exploitation in 30 days
Higher than 50% of all CVEs
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
CISA SSVC: Public PoC
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR Low
UI None
S Unchanged
C High
I High
A High

What should I do?

6 steps
  1. Patch immediately: upgrade to LiteLLM v1.83.14-stable or later (fix commits: 2220f30, 5190bd0, d910a95).

  2. Audit all existing API keys: review allowed_routes fields for any internal_user-created keys that include admin-tier routes (/user/new, /user/info, /model/new, /team/new, /global/spend/logs, etc.) — revoke any suspicious keys immediately.

  3. Rotate all LiteLLM master keys and downstream LLM provider API credentials if exploitation cannot be ruled out prior to patching.

  4. If immediate patching is not feasible, restrict the /key/generate endpoint to proxy_admin role only at the network or application layer as a temporary workaround.

  5. Enable and review audit logs for key creation events from non-admin users, particularly those specifying allowed_routes with admin-tier paths.

  6. Implement periodic access reviews of all API key grants as a compensating control going forward.

What does CISA's SSVC say?

Decision Attend
Exploitation poc
Automatable No
Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, robustness and cybersecurity
ISO 42001
A.6.2.3 - AI system access control
NIST AI RMF
GOVERN 1.1 - Policies, processes and procedures for AI risk management
OWASP LLM Top 10
LLM08 - Excessive Agency

Frequently Asked Questions

What is CVE-2026-47101?

LiteLLM's API key generation endpoint fails to validate that requested route permissions fall within the requesting user's own role scope, allowing any authenticated internal_user to craft a key granting access to admin-only proxy routes. With a CVSS 8.8 score, low attack complexity, and no user interaction required, exploitation is trivial for any user with even basic platform access — think contractors, developers, or compromised service accounts with internal_user role. Although no public exploit exists and this is not in CISA KEV, the blast radius is severe: a compromised LiteLLM proxy admin can rotate or exfiltrate all downstream LLM provider API credentials (OpenAI, Anthropic, Azure OpenAI), manipulate model routing, and intercept all inference traffic across the organization's AI stack. Upgrade to LiteLLM v1.83.14-stable immediately and audit all existing API keys for anomalous allowed_routes grants.

Is CVE-2026-47101 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2026-47101, increasing the risk of exploitation.

How to fix CVE-2026-47101?

1. Patch immediately: upgrade to LiteLLM v1.83.14-stable or later (fix commits: 2220f30, 5190bd0, d910a95). 2. Audit all existing API keys: review allowed_routes fields for any internal_user-created keys that include admin-tier routes (/user/new, /user/info, /model/new, /team/new, /global/spend/logs, etc.) — revoke any suspicious keys immediately. 3. Rotate all LiteLLM master keys and downstream LLM provider API credentials if exploitation cannot be ruled out prior to patching. 4. If immediate patching is not feasible, restrict the /key/generate endpoint to proxy_admin role only at the network or application layer as a temporary workaround. 5. Enable and review audit logs for key creation events from non-admin users, particularly those specifying allowed_routes with admin-tier paths. 6. Implement periodic access reviews of all API key grants as a compensating control going forward.

What systems are affected by CVE-2026-47101?

This vulnerability affects the following AI/ML architecture patterns: LLM proxy and gateway deployments, multi-provider AI API routing infrastructure, enterprise AI API management platforms, agentic AI pipelines using LiteLLM as model router, model serving.

What is the CVSS score for CVE-2026-47101?

CVE-2026-47101 has a CVSS v3.1 base score of 8.8 (HIGH). The EPSS exploitation probability is 0.74%.

What is the AI security impact?

Affected AI Architectures

LLM proxy and gateway deploymentsmulti-provider AI API routing infrastructureenterprise AI API management platformsagentic AI pipelines using LiteLLM as model routermodel serving

MITRE ATLAS Techniques

AML.T0012 Valid Accounts
AML.T0040 AI Model Inference API Access
AML.T0049 Exploit Public-Facing Application
AML.T0055 Unsecured Credentials
AML.T0091.000 Application Access Token

Compliance Controls Affected

EU AI Act: Article 15
ISO 42001: A.6.2.3
NIST AI RMF: GOVERN 1.1
OWASP LLM Top 10: LLM08

What are the technical details?

Original Advisory

LiteLLM prior to 1.83.14 allows an authenticated internal_user to create API keys with access to routes that their role does not permit. When generating a key, the allowed_routes field is stored without verifying that the specified routes fall within the user's own permissions. A key created with access to admin-only routes can then be used to reach those routes successfully, bypassing the role-based access controls that would otherwise block the request, enabling full privilege escalation from internal_user to proxy_admin.

Exploitation Scenario

An attacker with internal_user credentials — obtained via phishing, credential stuffing, or a compromised developer account — sends a POST to the LiteLLM /key/generate endpoint embedding admin-only routes such as ['/user/new', '/model/new', '/team/new', '/global/spend/logs'] in the allowed_routes field. Because LiteLLM stores this field without validating it against the requestor's own permission scope (CWE-863), the request succeeds and returns a valid API key with proxy_admin-level route access. The attacker then uses this elevated key to call /user/new to create a backdoor admin account for persistence, /model/new to add a malicious model configuration pointing to an adversary-controlled endpoint, and /global/spend/logs to harvest all LLM provider API credentials in use. In an agentic deployment, the attacker silently reroutes agent model calls to intercept prompt content and tool invocations across the entire AI pipeline.

Weaknesses (CWE)

CWE-863 — Incorrect Authorization: The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

  • [Architecture and Design] Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries. Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
  • [Architecture and Design] Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Timeline

Published
May 21, 2026
Last Modified
July 1, 2026
First Seen
May 21, 2026

Related Vulnerabilities