CVE-2026-47101 — HIGH (CVSS 8.8)

CISO Take

LiteLLM's API key generation endpoint fails to validate that requested route permissions fall within the requesting user's own role scope, allowing any authenticated internal_user to craft a key granting access to admin-only proxy routes. With a CVSS 8.8 score, low attack complexity, and no user interaction required, exploitation is trivial for any user with even basic platform access — think contractors, developers, or compromised service accounts with internal_user role. Although no public exploit exists and this is not in CISA KEV, the blast radius is severe: a compromised LiteLLM proxy admin can rotate or exfiltrate all downstream LLM provider API credentials (OpenAI, Anthropic, Azure OpenAI), manipulate model routing, and intercept all inference traffic across the organization's AI stack. Upgrade to LiteLLM v1.83.14-stable immediately and audit all existing API keys for anomalous allowed_routes grants.

Sources: NVD GitHub Advisory ATLAS huntr.com vulncheck.com

What is the risk?

High-risk due to CVSS 8.8 combined with minimal exploitation requirements: network-accessible, low privilege, no user interaction. Any authenticated internal_user — including those with read-only access, compromised accounts, or insider threats — can escalate to full proxy_admin. LiteLLM is deployed as a centralized AI gateway in enterprise environments, making it a high-value lateral movement pivot: admin access exposes all connected LLM provider API keys, routing configurations, spend data, and organizational model usage patterns. No public exploit exists at time of writing, but the attack pattern is straightforward enough that weaponization is likely within days of public disclosure given a huntr.com bounty report is publicly linked.

Attack Kill Chain

Initial Access

Attacker authenticates to the LiteLLM proxy as a valid internal_user, obtaining credentials via phishing, credential stuffing, or a compromised developer/contractor account.

AML.T0012

Privilege Escalation

Attacker sends POST /key/generate with admin-only routes embedded in allowed_routes; LiteLLM stores the key without validating route scope against the caller's role, issuing a proxy_admin-level key.

AML.T0049

Authorization Bypass

Attacker presents the crafted API key as an application access token to admin-only endpoints (/user/new, /model/new, /global/spend/logs), bypassing RBAC controls that would otherwise block the requests.

AML.T0091.000

Impact: Credential Harvest and Infrastructure Control

Attacker exfiltrates all downstream LLM provider API keys, creates backdoor admin accounts for persistence, and manipulates model routing to intercept or redirect all organizational AI inference traffic.

AML.T0055

Initial Access

Attacker authenticates to the LiteLLM proxy as a valid internal_user, obtaining credentials via phishing, credential stuffing, or a compromised developer/contractor account.

AML.T0012

Privilege Escalation

Attacker sends POST /key/generate with admin-only routes embedded in allowed_routes; LiteLLM stores the key without validating route scope against the caller's role, issuing a proxy_admin-level key.

AML.T0049

Authorization Bypass

Attacker presents the crafted API key as an application access token to admin-only endpoints (/user/new, /model/new, /global/spend/logs), bypassing RBAC controls that would otherwise block the requests.

AML.T0091.000

Impact: Credential Harvest and Infrastructure Control

Attacker exfiltrates all downstream LLM provider API keys, creates backdoor admin accounts for persistence, and manipulates model routing to intercept or redirect all organizational AI inference traffic.

AML.T0055

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
litellm	pip	—	No patch
47.2K OpenSSF 6.1 4 dependents Pushed 4d ago 50% patched ~42d to patch Full package profile →

Do you use litellm? You're affected.

Severity & Risk

CVSS 3.1

8.8 / 10

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Trivial

Attack Surface

AV Network

AC Low

PR Low

UI None

S Unchanged

C High

I High

A High

What should I do?

6 steps

Patch immediately: upgrade to LiteLLM v1.83.14-stable or later (fix commits: 2220f30, 5190bd0, d910a95).
Audit all existing API keys: review allowed_routes fields for any internal_user-created keys that include admin-tier routes (/user/new, /user/info, /model/new, /team/new, /global/spend/logs, etc.) — revoke any suspicious keys immediately.
Rotate all LiteLLM master keys and downstream LLM provider API credentials if exploitation cannot be ruled out prior to patching.
If immediate patching is not feasible, restrict the /key/generate endpoint to proxy_admin role only at the network or application layer as a temporary workaround.
Enable and review audit logs for key creation events from non-admin users, particularly those specifying allowed_routes with admin-tier paths.
Implement periodic access reviews of all API key grants as a compensating control going forward.

Classification

Auth Bypass Data Extraction API Inference Framework AML.T0012 - Valid Accounts AML.T0040 - AI Model Inference API Access AML.T0049 - Exploit Public-Facing Application AML.T0055 - Unsecured Credentials AML.T0091.000 - Application Access Token

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.2.3 - AI system access control

NIST AI RMF

GOVERN 1.1 - Policies, processes and procedures for AI risk management

OWASP LLM Top 10

LLM08 - Excessive Agency

Frequently Asked Questions

What is CVE-2026-47101?

LiteLLM's API key generation endpoint fails to validate that requested route permissions fall within the requesting user's own role scope, allowing any authenticated internal_user to craft a key granting access to admin-only proxy routes. With a CVSS 8.8 score, low attack complexity, and no user interaction required, exploitation is trivial for any user with even basic platform access — think contractors, developers, or compromised service accounts with internal_user role. Although no public exploit exists and this is not in CISA KEV, the blast radius is severe: a compromised LiteLLM proxy admin can rotate or exfiltrate all downstream LLM provider API credentials (OpenAI, Anthropic, Azure OpenAI), manipulate model routing, and intercept all inference traffic across the organization's AI stack. Upgrade to LiteLLM v1.83.14-stable immediately and audit all existing API keys for anomalous allowed_routes grants.

Is CVE-2026-47101 actively exploited?

No confirmed active exploitation of CVE-2026-47101 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-47101?

1. Patch immediately: upgrade to LiteLLM v1.83.14-stable or later (fix commits: 2220f30, 5190bd0, d910a95). 2. Audit all existing API keys: review allowed_routes fields for any internal_user-created keys that include admin-tier routes (/user/new, /user/info, /model/new, /team/new, /global/spend/logs, etc.) — revoke any suspicious keys immediately. 3. Rotate all LiteLLM master keys and downstream LLM provider API credentials if exploitation cannot be ruled out prior to patching. 4. If immediate patching is not feasible, restrict the /key/generate endpoint to proxy_admin role only at the network or application layer as a temporary workaround. 5. Enable and review audit logs for key creation events from non-admin users, particularly those specifying allowed_routes with admin-tier paths. 6. Implement periodic access reviews of all API key grants as a compensating control going forward.

What systems are affected by CVE-2026-47101?

This vulnerability affects the following AI/ML architecture patterns: LLM proxy and gateway deployments, multi-provider AI API routing infrastructure, enterprise AI API management platforms, agentic AI pipelines using LiteLLM as model router, model serving.

What is the CVSS score for CVE-2026-47101?

CVE-2026-47101 has a CVSS v3.1 base score of 8.8 (HIGH).

Technical Details

NVD Description

LiteLLM prior to 1.83.14 allows an authenticated internal_user to create API keys with access to routes that their role does not permit. When generating a key, the allowed_routes field is stored without verifying that the specified routes fall within the user's own permissions. A key created with access to admin-only routes can then be used to reach those routes successfully, bypassing the role-based access controls that would otherwise block the request, enabling full privilege escalation from internal_user to proxy_admin.

Exploitation Scenario

An attacker with internal_user credentials — obtained via phishing, credential stuffing, or a compromised developer account — sends a POST to the LiteLLM /key/generate endpoint embedding admin-only routes such as ['/user/new', '/model/new', '/team/new', '/global/spend/logs'] in the allowed_routes field. Because LiteLLM stores this field without validating it against the requestor's own permission scope (CWE-863), the request succeeds and returns a valid API key with proxy_admin-level route access. The attacker then uses this elevated key to call /user/new to create a backdoor admin account for persistence, /model/new to add a malicious model configuration pointing to an adversary-controlled endpoint, and /global/spend/logs to harvest all LLM provider API credentials in use. In an agentic deployment, the attacker silently reroutes agent model calls to intercept prompt content and tool invocations across the entire AI pipeline.