External risk intelligence

LiteLLM can let users get admin access to your systems.

CVE advisorySeverity: HIGH (CVSS 8.7)

CVE-2026-47101

LiteLLM allows authenticated users to create API keys granting admin access, bypassing security controls and enabling unauthorized control of your systems.

4Halo Surface Signal

Privilege Escalation

Litellm

before 1.83.14

External exposure likelihood

Halo Surface Signal score for CVE-2026-47101

LiteLLM is commonly deployed as an LLM gateway or API proxy to aggregate and manage access to various AI models. As a middleware layer that manages API keys and routes traffic, it is typically deployed as an internet-facing service or an edge gateway for applications to interface with language models, making the management surface and API endpoints reachable in typical deployments.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Horizon Alert

Summary of the vulnerability and why it matters

An issue in LiteLLM allows authenticated users to create API keys that grant access to administrative functions they shouldn't have. This bypasses existing security controls, potentially leading to unauthorized access to sensitive areas of the system.

  • Existing users can gain admin privileges.
  • This affects systems using LiteLLM for API management.
  • It allows privilege escalation from a regular user to an administrator.

Attack Path

How an attacker could exploit the issue

An authenticated internal user can exploit this by creating API keys that grant access to restricted admin routes, bypassing role-based controls. This allows an attacker to escalate their privileges from a standard internal user to a proxy administrator.

  • Requires authenticated internal user.
  • Attack targets API key generation.
  • Key bypasses role-based access controls.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability allows an authenticated user to escalate their privileges by creating API keys with unauthorized access. Attackers are likely to weaponize this because it provides a direct path to administrative control within LiteLLM, a tool often used as a gateway for LLM interactions. The ease of exploitation, combined with the critical access gained, makes it an attractive target for compromising systems that rely on this software.

  • Authenticated privilege escalation.
  • Direct path to admin control.
  • Attackers exploit known access control flaws.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Prioritize investigating logs for unauthorized API key creation and access to restricted routes. Block any suspicious IP addresses generating these keys and confirm all affected services are patched to version 1.83.14 or later.

  • Update LiteLLM to 1.83.14.
  • Review and revoke suspicious API keys.
  • Monitor for unauthorized route access.

Frequently asked questions

What is LiteLLM and what is it used for?

LiteLLM is a software tool that acts as a unified interface for various language models. It's often used as an API gateway or proxy, allowing developers to manage and route requests to different AI models through a single point of access. This simplifies integration and management of LLM functionalities in applications.

How does the CVE-2026-47101 vulnerability work?

This vulnerability is a CWE-863, an incorrect authorization flaw. LiteLLM versions before 1.83.14 incorrectly store API keys. When a key is generated, the system doesn't verify if the specified routes are within the user's permitted access, allowing a user to create keys that grant access to administrative functions they shouldn't have.

What are the preconditions for exploiting CVE-2026-47101?

An attacker must first be an authenticated internal user within the LiteLLM system. They then exploit the vulnerability during the API key creation process by specifying routes that are normally restricted, bypassing the intended role-based access controls. Creating a key does not trigger the bug; it's the subsequent use of the improperly configured key that exploits the weakness.

Who should be concerned about this LiteLLM vulnerability?

Organizations using LiteLLM, especially if it's configured to face the internet or act as an edge gateway for AI model interactions, should be concerned. The Halo Surface Signal indicates this is likely an external threat, meaning it could be accessible from outside the internal network, posing a risk to your deployed systems.

What is the first step to address this LiteLLM vulnerability?

The immediate step is to update LiteLLM to version 1.83.14 or later. After updating, review existing API keys for any suspicious or unauthorized administrative access, and revoke them as necessary. Monitoring for unusual access patterns to restricted routes is also crucial.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished Modified