CVE-2026-47102: LiteLLM: privilege escalation to proxy_admin via /user/update
GHSA-wpfp-gwwc-vwq6 HIGH PoC AVAILABLE CISA: ATTENDAny authenticated LiteLLM user — including those with the lowest-privilege org_admin role — can promote themselves to full proxy_admin by sending a single API call to /user/update with a modified user_role field, because the endpoint enforces identity scoping but not field-level authorization. For organizations using LiteLLM as their central AI gateway, this is a complete perimeter collapse: proxy_admin exposes every LLM provider API key, full prompt history, all teams and users, and model routing configurations across the entire deployment. The CVSS 8.8 score reflects the real blast radius — network-reachable, low complexity, no user interaction required, meaning any disgruntled insider or compromised account can escalate in seconds. Patch to v1.83.10 immediately; if patching is not immediately possible, restrict /user/update access at the network layer and audit all user_role assignments in your database for unexpected proxy_admin entries.
What is the risk?
HIGH. The exploit requires only a valid user account and a single authenticated HTTP request — no special tools, no AI/ML knowledge, no chaining of additional vulnerabilities. The authorization control failure (CWE-863) is a classic mass-assignment pattern applied to a privileged field. LiteLLM's role as an LLM proxy aggregator amplifies impact: compromise of proxy_admin is effectively compromise of every downstream LLM API credential managed through the instance. Multi-tenant deployments serving multiple teams or customers face the highest risk, as a single malicious user can pivot to access all organizational LLM configurations and sensitive prompt data.
How does the attack unfold?
What systems are affected?
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| LiteLLM | pip | < 1.83.10 | 1.83.10 |
Do you use LiteLLM? You're affected.
How severe is it?
What is the attack surface?
What should I do?
7 steps-
Patch immediately to LiteLLM v1.83.10-stable (commit 128d32d or e6f18ce).
-
If patching is delayed, block external access to /user/update at the reverse proxy or WAF layer until the patch is applied.
-
Audit the database for unauthorized proxy_admin role assignments: SELECT * FROM litellm_usertable WHERE user_role = 'proxy_admin' and cross-reference against expected admin accounts.
-
Rotate all LLM provider API keys managed through any potentially compromised LiteLLM instance.
-
Review audit logs for anomalous /user/update calls, particularly any request that succeeded and modified user_role.
-
Enable field-level mutation logging on the user table if operating a custom deployment.
-
Apply principle of least privilege — remove org_admin role from users who do not require it, as org_admins have legitimate endpoint access per the advisory.
What does CISA's SSVC say?
Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.
How is it classified?
Which compliance frameworks are affected?
This CVE is relevant to:
Frequently Asked Questions
What is CVE-2026-47102?
Any authenticated LiteLLM user — including those with the lowest-privilege org_admin role — can promote themselves to full proxy_admin by sending a single API call to /user/update with a modified user_role field, because the endpoint enforces identity scoping but not field-level authorization. For organizations using LiteLLM as their central AI gateway, this is a complete perimeter collapse: proxy_admin exposes every LLM provider API key, full prompt history, all teams and users, and model routing configurations across the entire deployment. The CVSS 8.8 score reflects the real blast radius — network-reachable, low complexity, no user interaction required, meaning any disgruntled insider or compromised account can escalate in seconds. Patch to v1.83.10 immediately; if patching is not immediately possible, restrict /user/update access at the network layer and audit all user_role assignments in your database for unexpected proxy_admin entries.
Is CVE-2026-47102 actively exploited?
Proof-of-concept exploit code is publicly available for CVE-2026-47102, increasing the risk of exploitation.
How to fix CVE-2026-47102?
1. Patch immediately to LiteLLM v1.83.10-stable (commit 128d32d or e6f18ce). 2. If patching is delayed, block external access to /user/update at the reverse proxy or WAF layer until the patch is applied. 3. Audit the database for unauthorized proxy_admin role assignments: SELECT * FROM litellm_usertable WHERE user_role = 'proxy_admin' and cross-reference against expected admin accounts. 4. Rotate all LLM provider API keys managed through any potentially compromised LiteLLM instance. 5. Review audit logs for anomalous /user/update calls, particularly any request that succeeded and modified user_role. 6. Enable field-level mutation logging on the user table if operating a custom deployment. 7. Apply principle of least privilege — remove org_admin role from users who do not require it, as org_admins have legitimate endpoint access per the advisory.
What systems are affected by CVE-2026-47102?
This vulnerability affects the following AI/ML architecture patterns: LLM gateway and proxy deployments, Multi-tenant AI platform infrastructure, Agent frameworks routing through LiteLLM, RAG pipelines with centralized LLM proxy, LLMOps and model serving stacks.
What is the CVSS score for CVE-2026-47102?
CVE-2026-47102 has a CVSS v3.1 base score of 8.8 (HIGH). The EPSS exploitation probability is 0.65%.
What is the AI security impact?
Affected AI Architectures
MITRE ATLAS Techniques
AML.T0012 Valid Accounts AML.T0040 AI Model Inference API Access AML.T0049 Exploit Public-Facing Application AML.T0085 Data from AI Services AML.T0106 Exploitation for Credential Access Compliance Controls Affected
What are the technical details?
Original Advisory
LiteLLM prior to 1.83.10 allows a user to modify their own user_role via the /user/update endpoint. While the endpoint correctly restricts users to updating only their own account, it does not restrict which fields may be changed. A user who can reach this endpoint can set their role to proxy_admin, gaining full administrative access to LiteLLM including all users, teams, keys, models, and prompt history. Users with the org_admin role have legitimate access to this endpoint and can exploit this vulnerability without chaining any additional flaw.
Exploitation Scenario
An attacker with a standard LiteLLM user account — obtained through normal registration, a phishing campaign, or by compromising a low-value credential — sends a POST to /user/update with their own user_id and the additional field user_role set to proxy_admin. The endpoint validates that the user_id matches the authenticated caller (preventing horizontal privilege abuse) but performs no field-level validation, so the role field is accepted and persisted. The attacker's session now carries proxy_admin privileges, granting access to the /admin endpoints, all virtual key management APIs, the full user roster, team configurations, model provider credentials, and prompt history. In a multi-tenant AI platform, the attacker can then create new admin API keys to maintain persistent access, enumerate all stored LLM provider credentials, and silently redirect or log all inference traffic through a controlled model endpoint.
Weaknesses (CWE)
CWE-863 Incorrect Authorization
Primary
CWE-863 Incorrect Authorization
Primary
CWE-863 Incorrect Authorization CWE-863 — Incorrect Authorization: The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
- [Architecture and Design] Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries. Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
- [Architecture and Design] Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].
Source: MITRE CWE corpus.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H References
- obsidiansecurity.com/blog/litellm-privilege-escalation-rce technical-description exploit
- gist.github.com/13ph03nix/9ec616e1fdc77b3673509c60206e827f
- github.com/BerriAI/litellm/commit/128d32d2494b759c5d15da3452452af4c6a34c01
- github.com/BerriAI/litellm/commit/e6f18ce75b111c9b93dc15c72894cbdeb53177ce
- github.com/BerriAI/litellm/pull/25541
- github.com/BerriAI/litellm/releases/tag/v1.83.10-stable
- huntr.com/bounties/8e75edfb-ff05-4e63-bfca-2d93d03fb3b9
- vulncheck.com/advisories/litellm-privilege-escalation-via-user-update
- github.com/advisories/GHSA-wpfp-gwwc-vwq6
- nvd.nist.gov/vuln/detail/CVE-2026-47102
Timeline
Related Vulnerabilities
CVE-2026-42208 9.8 LiteLLM: SQL injection exposes LLM API credentials
Same package: litellm CVE-2026-54352 9.6 Budibase: zip symlink bypass exposes all server secrets
Same package: litellm CVE-2026-35030 9.1 LiteLLM: auth bypass via JWT cache key collision
Same package: litellm CVE-2026-35029 8.8 LiteLLM: auth bypass allows RCE and full takeover
Same package: litellm CVE-2024-6825 8.8 LiteLLM: RCE via post_call_rules callback injection
Same package: litellm