External risk intelligence

LiteLLM vulnerability lets attackers gain full admin control.

CVE advisorySeverity: HIGH (CVSS 8.7)

CVE-2026-47102

A LiteLLM vulnerability allows any user to gain full administrative control, accessing all data and user information. This needs immediate attention as it could lead to significant compromise.

4Halo Surface Signal

Litellm

before 1.83.10

External exposure likelihood

Halo Surface Signal score for CVE-2026-47102

LiteLLM is commonly deployed as a centralized LLM gateway or API proxy service. These services are frequently exposed to the internet or wide internal networks to allow various applications and users to access configured model endpoints, making the administrative API surfaces of such gateways reachable in typical deployments.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Horizon Alert

Summary of the vulnerability and why it matters

This vulnerability in LiteLLM allows any user with existing access to elevate their privileges to administrator. This means an attacker could gain full control over all users, teams, keys, models, and prompt history within the LiteLLM instance. Teams should pay attention because this could lead to significant data compromise and service disruption.

  • Unauthorized administrative access.
  • Affects all users and data.
  • Exists in a common LLM gateway.

Attack Path

How an attacker could exploit the issue

An attacker with low-privilege access can escalate their privileges within LiteLLM by exploiting the user update endpoint. By targeting the `/user/update` endpoint, they can modify their own user role to `proxy_admin`, gaining complete administrative control over the system. This allows them to access all users, teams, keys, models, and prompt history.

  • Requires authenticated user access.
  • Targets the user update endpoint.
  • Exploits an org_admin's legitimate access.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability allows a user with legitimate access to update their own role to `proxy_admin`, granting them full administrative control over the LiteLLM instance. Attackers are likely to find this appealing because it offers a direct path to privilege escalation, potentially leading to data exfiltration or unauthorized system changes without needing to exploit additional flaws. The primary concern is the ease of exploitation for any authenticated user who can reach the `/user/update` endpoint.

  • No evidence of public exploits.
  • Vendor patched within 4 days.
  • No KEV listing.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Prioritize patching LiteLLM to version 1.83.10 to prevent unauthorized role changes that grant administrative access. If immediate patching isn't feasible, restrict access to the `/user/update` endpoint and monitor for any unusual administrative activity.

  • Apply LiteLLM 1.83.10 patch.
  • Limit `/user/update` endpoint access.
  • Monitor for administrative privilege escalation.

Frequently asked questions

What is LiteLLM and what is it used for?

LiteLLM is a tool that acts as a gateway or proxy for various large language models (LLMs). It allows developers and applications to interact with different LLM providers through a single, unified interface, simplifying the process of integrating AI capabilities into software.

What kind of weakness does CVE-2026-47102 describe?

CVE-2026-47102 describes an improper access control weakness. Specifically, a user can modify their own role to gain administrative privileges, which is a form of privilege escalation due to insufficient authorization checks on the update endpoint.

How can an attacker exploit the CVE-2026-47102 vulnerability?

An attacker with an existing authenticated user account in LiteLLM can exploit this by sending a request to the `/user/update` endpoint. This request can modify their own user role to `proxy_admin`, granting them full administrative access without needing any other vulnerabilities.

Who should be concerned about CVE-2026-47102 given its exposure?

Organizations using LiteLLM should be concerned. Because LiteLLM often acts as a gateway service, it's frequently exposed to the internet or wide internal networks, making its administrative functions potentially reachable. This means systems that allow any authenticated user access to the update endpoint are at risk.

What is the first step to address CVE-2026-47102?

The immediate and most effective step is to update LiteLLM to version 1.83.10 or later. This patch corrects the access control issue, preventing users from improperly elevating their roles to administrator.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished Modified