Action not permitted
Modal body text goes here.
Modal Title
Modal Body
GHSA-QRC4-49GV-MV9M
Vulnerability from github – Published: 2026-05-21 21:30 – Updated: 2026-06-23 22:47LiteLLM prior to 1.83.14 allows an authenticated internal_user to create API keys with access to routes that their role does not permit. When generating a key, the allowed_routes field is stored without verifying that the specified routes fall within the user's own permissions. A key created with access to admin-only routes can then be used to reach those routes successfully, bypassing the role-based access controls that would otherwise block the request, enabling full privilege escalation from internal_user to proxy_admin.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "litellm"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.83.14"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-47101"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-23T22:47:38Z",
"nvd_published_at": "2026-05-21T21:16:32Z",
"severity": "HIGH"
},
"details": "LiteLLM prior to 1.83.14 allows an authenticated internal_user to create API keys with access to routes that their role does not permit. When generating a key, the allowed_routes field is stored without verifying that the specified routes fall within the user\u0027s own permissions. A key created with access to admin-only routes can then be used to reach those routes successfully, bypassing the role-based access controls that would otherwise block the request, enabling full privilege escalation from internal_user to proxy_admin.",
"id": "GHSA-qrc4-49gv-mv9m",
"modified": "2026-06-23T22:47:38Z",
"published": "2026-05-21T21:30:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-47101"
},
{
"type": "WEB",
"url": "https://github.com/BerriAI/litellm/commit/2220f3076ac89bd2a2e3439acf57dcfbec2434c9"
},
{
"type": "WEB",
"url": "https://github.com/BerriAI/litellm/commit/5190bd07eb23a037745d86328096f54378f1614a"
},
{
"type": "WEB",
"url": "https://github.com/BerriAI/litellm/commit/d910a95661fce3cdd36f3b06c03ecf9c46c6457c"
},
{
"type": "WEB",
"url": "https://gist.github.com/13ph03nix/9ec616e1fdc77b3673509c60206e827f"
},
{
"type": "PACKAGE",
"url": "https://github.com/BerriAI/litellm"
},
{
"type": "WEB",
"url": "https://github.com/BerriAI/litellm/releases/tag/v1.83.14-stable"
},
{
"type": "WEB",
"url": "https://huntr.com/bounties/8e75edfb-ff05-4e63-bfca-2d93d03fb3b9"
},
{
"type": "WEB",
"url": "https://www.obsidiansecurity.com/blog/litellm-privilege-escalation-rce"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/litellm-privilege-escalation-via-api-key-generation"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "LiteLLM allows an authenticated internal_user to create API keys with access to routes that their role does not permit"
}
CVE-2026-47101 (GCVE-0-2026-47101)
Vulnerability from cvelistv5 – Published: 2026-05-21 20:33 – Updated: 2026-07-15 00:49 X_Open Source| URL | Tags |
|---|---|
| https://www.obsidiansecurity.com/blog/litellm-pri… | technical-descriptionexploit |
| https://gist.github.com/13ph03nix/9ec616e1fdc77b3… | exploittechnical-description |
| https://huntr.com/bounties/8e75edfb-ff05-4e63-bfc… | third-party-advisoryexploit |
| https://github.com/BerriAI/litellm/releases/tag/v… | release-notes |
| https://github.com/BerriAI/litellm/commit/d910a95… | patch |
| https://github.com/BerriAI/litellm/commit/2220f30… | patch |
| https://github.com/BerriAI/litellm/commit/5190bd0… | patch |
| https://www.vulncheck.com/advisories/litellm-priv… | third-party-advisory |
| https://access.redhat.com/security/cve/CVE-2026-47101 | vdb-entryx_refsource_REDHAT |
| https://bugzilla.redhat.com/show_bug.cgi?id=2480635 | issue-trackingx_refsource_REDHAT |
| https://security.access.redhat.com/data/csaf/v2/v… | x_sadp-csaf-vex |
| Vendor | Product | Version | |
|---|---|---|---|
| BerriAI | litellm |
Affected:
0 , < 1.83.14
(semver)
|
|
| Red Hat | Exploit Intelligence |
cpe:/a:redhat:exploit_intelligence:0 |
|
| Red Hat | Red Hat Ansible Automation Platform 2 |
cpe:/a:redhat:ansible_automation_platform:2 |
|
| Red Hat | Red Hat OpenShift AI (RHOAI) |
cpe:/a:redhat:openshift_ai |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-47101",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-22T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-23T03:55:46.656Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"affected": [
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:exploit_intelligence:0"
],
"defaultStatus": "affected",
"packageName": "exploit-intelligence-tech-preview/vulnerability-analysis-rhel9",
"product": "Exploit Intelligence",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:ansible_automation_platform:2"
],
"defaultStatus": "unaffected",
"packageName": "ansible-automation-platform-26/lightspeed-chatbot-rhel9",
"product": "Red Hat Ansible Automation Platform 2",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:ansible_automation_platform:2"
],
"defaultStatus": "unaffected",
"packageName": "ansible-automation-platform-27/lightspeed-chatbot-rhel9",
"product": "Red Hat Ansible Automation Platform 2",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:openshift_ai"
],
"defaultStatus": "unaffected",
"packageName": "rhoai/odh-llama-stack-core-rhel9",
"product": "Red Hat OpenShift AI (RHOAI)",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:openshift_ai"
],
"defaultStatus": "unaffected",
"packageName": "rhoai/odh-mlflow-rhel9",
"product": "Red Hat OpenShift AI (RHOAI)",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:openshift_ai"
],
"defaultStatus": "unaffected",
"packageName": "rhoai/odh-trustyai-garak-lls-provider-dsp-rhel9",
"product": "Red Hat OpenShift AI (RHOAI)",
"vendor": "Red Hat"
}
],
"datePublic": "2026-05-21T20:33:30.163Z",
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in LiteLLM. An authenticated internal user can exploit this vulnerability by creating API keys that grant access to routes beyond their assigned role. This occurs because the system fails to verify if the specified allowed_routes for the API key align with the user\u0027s actual permissions. Consequently, a malicious internal user can achieve full privilege escalation, gaining administrative access (proxy_admin) and bypassing role-based access controls."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Important"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-15T00:49:17.105Z",
"orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
"shortName": "redhat-SADP"
},
"references": [
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/security/cve/CVE-2026-47101"
},
{
"name": "RHBZ#2480635",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2480635"
},
{
"tags": [
"x_sadp-csaf-vex"
],
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-47101.json"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-05-21T21:00:54.938Z",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2026-05-21T20:33:30.163Z",
"value": "Made public."
}
],
"title": "litellm: LiteLLM: Privilege escalation via API key generation with insufficient permission validation",
"workarounds": [
{
"lang": "en",
"value": "Update the litellm package to version 1.83.14 or later.\n\nUntil updated builds are available, restrict LiteLLM proxy deployments so only trusted administrators can access key-generation and management routes. Audit existing API keys for allowed_routes grants that exceed the creating user role, and rotate keys where unauthorized admin-route access is found."
}
],
"x_adpType": "supplier",
"x_generator": {
"engine": "sadp-cli 1.0.0"
}
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"packageURL": "pkg:github/BerriAI/litellm",
"product": "litellm",
"repo": "https://github.com/BerriAI/litellm",
"vendor": "BerriAI",
"versions": [
{
"lessThan": "1.83.14",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Fenix Qiao (aka 13ph03nix) from Obsidian Security"
}
],
"datePublic": "2026-04-27T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "LiteLLM prior to 1.83.14 allows an authenticated internal_user to create API keys with access to routes that their role does not permit. When generating a key, the allowed_routes field is stored without verifying that the specified routes fall within the user\u0027s own permissions. A key created with access to admin-only routes can then be used to reach those routes successfully, bypassing the role-based access controls that would otherwise block the request, enabling full privilege escalation from internal_user to proxy_admin."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-14T21:32:59.692Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"tags": [
"technical-description",
"exploit"
],
"url": "https://www.obsidiansecurity.com/blog/litellm-privilege-escalation-rce"
},
{
"tags": [
"exploit",
"technical-description"
],
"url": "https://gist.github.com/13ph03nix/9ec616e1fdc77b3673509c60206e827f"
},
{
"tags": [
"third-party-advisory",
"exploit"
],
"url": "https://huntr.com/bounties/8e75edfb-ff05-4e63-bfca-2d93d03fb3b9"
},
{
"tags": [
"release-notes"
],
"url": "https://github.com/BerriAI/litellm/releases/tag/v1.83.14-stable"
},
{
"tags": [
"patch"
],
"url": "https://github.com/BerriAI/litellm/commit/d910a95661fce3cdd36f3b06c03ecf9c46c6457c"
},
{
"tags": [
"patch"
],
"url": "https://github.com/BerriAI/litellm/commit/2220f3076ac89bd2a2e3439acf57dcfbec2434c9"
},
{
"tags": [
"patch"
],
"url": "https://github.com/BerriAI/litellm/commit/5190bd07eb23a037745d86328096f54378f1614a"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/litellm-privilege-escalation-via-api-key-generation"
}
],
"source": {
"discovery": "EXTERNAL"
},
"tags": [
"x_open-source"
],
"title": "LiteLLM \u003c 1.83.14 Privilege Escalation via API Key Generation",
"x_generator": {
"engine": "vulncheck"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2026-47101",
"datePublished": "2026-05-21T20:33:30.163Z",
"dateReserved": "2026-05-18T19:22:26.748Z",
"dateUpdated": "2026-07-15T00:49:17.105Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
PYSEC-2026-2598
Vulnerability from pysec - Published: 2026-07-13 15:19 - Updated: 2026-07-13 16:04LiteLLM prior to 1.83.14 allows an authenticated internal_user to create API keys with access to routes that their role does not permit. When generating a key, the allowed_routes field is stored without verifying that the specified routes fall within the user's own permissions. A key created with access to admin-only routes can then be used to reach those routes successfully, bypassing the role-based access controls that would otherwise block the request, enabling full privilege escalation from internal_user to proxy_admin.
| Name | purl | litellm | pkg:pypi/litellm |
|---|
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "litellm",
"purl": "pkg:pypi/litellm"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.83.14"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"0.1.0",
"0.1.1",
"0.1.2",
"0.1.201",
"0.1.202",
"0.1.203",
"0.1.204",
"0.1.205",
"0.1.206",
"0.1.207",
"0.1.208",
"0.1.209",
"0.1.210",
"0.1.211",
"0.1.212",
"0.1.213",
"0.1.214",
"0.1.215",
"0.1.216",
"0.1.217",
"0.1.218",
"0.1.219",
"0.1.220",
"0.1.221",
"0.1.222",
"0.1.223",
"0.1.224",
"0.1.225",
"0.1.226",
"0.1.227",
"0.1.228",
"0.1.229",
"0.1.2291",
"0.1.230",
"0.1.231",
"0.1.232",
"0.1.233",
"0.1.234",
"0.1.235",
"0.1.236",
"0.1.237",
"0.1.238",
"0.1.3",
"0.1.31",
"0.1.32",
"0.1.330",
"0.1.331",
"0.1.34",
"0.1.341",
"0.1.343",
"0.1.345",
"0.1.347",
"0.1.348",
"0.1.349",
"0.1.351",
"0.1.352",
"0.1.353",
"0.1.354",
"0.1.356",
"0.1.360",
"0.1.361",
"0.1.362",
"0.1.363",
"0.1.364",
"0.1.365",
"0.1.366",
"0.1.367",
"0.1.368",
"0.1.369",
"0.1.370",
"0.1.371",
"0.1.372",
"0.1.373",
"0.1.375",
"0.1.376",
"0.1.379",
"0.1.380",
"0.1.381",
"0.1.383",
"0.1.384",
"0.1.385",
"0.1.386",
"0.1.387",
"0.1.388",
"0.1.389",
"0.1.392",
"0.1.393",
"0.1.394",
"0.1.398",
"0.1.399",
"0.1.400",
"0.1.401",
"0.1.402",
"0.1.403",
"0.1.404",
"0.1.405",
"0.1.410",
"0.1.411",
"0.1.412",
"0.1.415",
"0.1.419",
"0.1.420",
"0.1.421",
"0.1.422",
"0.1.424",
"0.1.425",
"0.1.426",
"0.1.429",
"0.1.433",
"0.1.434",
"0.1.435",
"0.1.436",
"0.1.437",
"0.1.438",
"0.1.439",
"0.1.440",
"0.1.441",
"0.1.442",
"0.1.443",
"0.1.444",
"0.1.445",
"0.1.446",
"0.1.447",
"0.1.448",
"0.1.449",
"0.1.450",
"0.1.451",
"0.1.452",
"0.1.456",
"0.1.457",
"0.1.459",
"0.1.460",
"0.1.461",
"0.1.464",
"0.1.465",
"0.1.475",
"0.1.477",
"0.1.479",
"0.1.480",
"0.1.481",
"0.1.482",
"0.1.486",
"0.1.487",
"0.1.488",
"0.1.490",
"0.1.491",
"0.1.492",
"0.1.493",
"0.1.494",
"0.1.495",
"0.1.497",
"0.1.500",
"0.1.501",
"0.1.504",
"0.1.507",
"0.1.508",
"0.1.509",
"0.1.510",
"0.1.511",
"0.1.512",
"0.1.516",
"0.1.517",
"0.1.518",
"0.1.520",
"0.1.525",
"0.1.530",
"0.1.531",
"0.1.533",
"0.1.535",
"0.1.536",
"0.1.537",
"0.1.538",
"0.1.544",
"0.1.546",
"0.1.547",
"0.1.548",
"0.1.549",
"0.1.550",
"0.1.551",
"0.1.552",
"0.1.553",
"0.1.554",
"0.1.555",
"0.1.556",
"0.1.557",
"0.1.558",
"0.1.559",
"0.1.560",
"0.1.561",
"0.1.562",
"0.1.563",
"0.1.567",
"0.1.568",
"0.1.569",
"0.1.570",
"0.1.574",
"0.1.578",
"0.1.580",
"0.1.582",
"0.1.583",
"0.1.585",
"0.1.586",
"0.1.587",
"0.1.590",
"0.1.591",
"0.1.593",
"0.1.595",
"0.1.596",
"0.1.597",
"0.1.598",
"0.1.600",
"0.1.601",
"0.1.604",
"0.1.605",
"0.1.607",
"0.1.609",
"0.1.610",
"0.1.615",
"0.1.618",
"0.1.619",
"0.1.620",
"0.1.621",
"0.1.623",
"0.1.624",
"0.1.625",
"0.1.626",
"0.1.629",
"0.1.630",
"0.1.631",
"0.1.632",
"0.1.634",
"0.1.635",
"0.1.636",
"0.1.638",
"0.1.639",
"0.1.641",
"0.1.642",
"0.1.643",
"0.1.644",
"0.1.645",
"0.1.646",
"0.1.647",
"0.1.648",
"0.1.649",
"0.1.650",
"0.1.651",
"0.1.652",
"0.1.674",
"0.1.680",
"0.1.681",
"0.1.683",
"0.1.685",
"0.1.686",
"0.1.687",
"0.1.689",
"0.1.690",
"0.1.692",
"0.1.693",
"0.1.696",
"0.1.697",
"0.1.698",
"0.1.700",
"0.1.700.dev0",
"0.1.700.dev1",
"0.1.700.dev2",
"0.1.700.dev3",
"0.1.700.dev4",
"0.1.700.dev5",
"0.1.702",
"0.1.704",
"0.1.706",
"0.1.714",
"0.1.714.dev1",
"0.1.715",
"0.1.716",
"0.1.719",
"0.1.720",
"0.1.721",
"0.1.723",
"0.1.724",
"0.1.729",
"0.1.736",
"0.1.738",
"0.1.743",
"0.1.745",
"0.1.746",
"0.1.747",
"0.1.748",
"0.1.749",
"0.1.750",
"0.1.751",
"0.1.758",
"0.1.765",
"0.1.769",
"0.1.7701",
"0.1.7713",
"0.1.772",
"0.1.774",
"0.1.780",
"0.1.781",
"0.1.784",
"0.1.786",
"0.1.788",
"0.1.789",
"0.1.793",
"0.1.794",
"0.1.805",
"0.1.806",
"0.1.807",
"0.1.813",
"0.1.814",
"0.1.815",
"0.1.816",
"0.1.817",
"0.1.818",
"0.1.819",
"0.1.820",
"0.1.821",
"0.1.824",
"0.10.0",
"0.10.1",
"0.11.1",
"0.12.10",
"0.12.11",
"0.12.12",
"0.12.4",
"0.12.4.dev1",
"0.12.4.dev2",
"0.12.5",
"0.12.5.dev1",
"0.12.7",
"0.12.7.dev1",
"0.12.8",
"0.12.9",
"0.13.0",
"0.13.1",
"0.13.1.dev1",
"0.13.1.dev2",
"0.13.1.dev3",
"0.13.2",
"0.13.2.dev1",
"0.13.3.dev1",
"0.13.3.dev2",
"0.13.6.dev1",
"0.13.6.dev2",
"0.13.6.dev3",
"0.13.7.dev1",
"0.14.0",
"0.14.0.dev1",
"0.14.1",
"0.2.5",
"0.2.6",
"0.3.0",
"0.3.1",
"0.4.0",
"0.4.4",
"0.5.2",
"0.5.3",
"0.5.4",
"0.5.6",
"0.6.0",
"0.6.1",
"0.6.2",
"0.6.6",
"0.7.1",
"0.7.1.dev1",
"0.7.1.dev2",
"0.7.1.dev3",
"0.7.10",
"0.7.3",
"0.7.4",
"0.7.5",
"0.7.9",
"0.8.0",
"0.8.1",
"0.8.2",
"0.8.3",
"0.8.4",
"0.8.5",
"0.8.6",
"0.9.0",
"0.9.1",
"0.9.2",
"0.9.2.dev1",
"1.0.0",
"1.0.0.dev1",
"1.0.3",
"1.0.3.dev1",
"1.1.0",
"1.1.1",
"1.1.2",
"1.1.3",
"1.10.0",
"1.10.1",
"1.10.10",
"1.10.11",
"1.10.2",
"1.10.3",
"1.10.4",
"1.10.6",
"1.10.8",
"1.10.9",
"1.10.dev11",
"1.11.0",
"1.11.1",
"1.12.0",
"1.12.1",
"1.12.2",
"1.12.3",
"1.12.5",
"1.12.5.dev1",
"1.12.6.dev1",
"1.12.6.dev2",
"1.12.6.dev3",
"1.12.6.dev4",
"1.12.6.dev5",
"1.13.2",
"1.14.0",
"1.14.0.dev1",
"1.14.1",
"1.14.10",
"1.14.2",
"1.14.3",
"1.14.4",
"1.14.5",
"1.14.5.dev1",
"1.14.6",
"1.14.7",
"1.14.8",
"1.14.9",
"1.15.0",
"1.15.1",
"1.15.10",
"1.15.2",
"1.15.3",
"1.15.6",
"1.15.7",
"1.15.8",
"1.16.0",
"1.16.1",
"1.16.11",
"1.16.12",
"1.16.18",
"1.16.19",
"1.16.2",
"1.16.20",
"1.16.21",
"1.16.3",
"1.16.4",
"1.16.5",
"1.16.6",
"1.16.7",
"1.16.8",
"1.16.9",
"1.17.0",
"1.17.2",
"1.17.3",
"1.17.4",
"1.17.5",
"1.17.9",
"1.18.0",
"1.18.1",
"1.18.13",
"1.18.13.dev1",
"1.18.13.dev4",
"1.18.13.dev5",
"1.18.14.dev8",
"1.18.2",
"1.18.6",
"1.18.7",
"1.18.8",
"1.19.4",
"1.2.0",
"1.20.0",
"1.20.5",
"1.20.6",
"1.20.7",
"1.20.8",
"1.20.9",
"1.21.4.dev1",
"1.21.6",
"1.21.7",
"1.22.3",
"1.22.5",
"1.23.0",
"1.23.1",
"1.23.15",
"1.23.16",
"1.23.2",
"1.23.3",
"1.23.5",
"1.24.3",
"1.24.5",
"1.25.0",
"1.25.1",
"1.25.2",
"1.26.0",
"1.26.1",
"1.26.13",
"1.26.3",
"1.26.8",
"1.27.1.dev11",
"1.27.1.dev30",
"1.27.1.dev31",
"1.27.1.dev40",
"1.27.1.dev50",
"1.27.1.dev60",
"1.27.1.dev9",
"1.27.4",
"1.27.6",
"1.27.8",
"1.28.0",
"1.28.1",
"1.28.10",
"1.28.11",
"1.28.13",
"1.28.4",
"1.29.1",
"1.29.3",
"1.29.4.dev1",
"1.29.7.dev3",
"1.3.1",
"1.3.3",
"1.3.3.dev1",
"1.3.3.dev2",
"1.3.3.dev3",
"1.30.0",
"1.30.1",
"1.30.1.dev5",
"1.30.1.dev6",
"1.30.3",
"1.30.7",
"1.31.13.dev1",
"1.31.13.dev10",
"1.31.13.dev2",
"1.31.13.dev3",
"1.31.14",
"1.31.14.dev2",
"1.31.14.dev3",
"1.31.14.dev4",
"1.31.14.dev5",
"1.31.14.dev6",
"1.31.14.dev8",
"1.31.14.dev9",
"1.31.15.dev2",
"1.31.17",
"1.31.2",
"1.31.2.dev10",
"1.31.3",
"1.31.6",
"1.31.8",
"1.32.1",
"1.32.4",
"1.32.5.dev1",
"1.32.9",
"1.33.4",
"1.33.5.dev1",
"1.33.9",
"1.34.0",
"1.34.1",
"1.34.11",
"1.34.16",
"1.34.18",
"1.34.21",
"1.34.22",
"1.34.25",
"1.34.29",
"1.34.3",
"1.34.37",
"1.34.39",
"1.34.4",
"1.34.42",
"1.34.6",
"1.34.8",
"1.35.0",
"1.35.0.dev1",
"1.35.1",
"1.35.12",
"1.35.17",
"1.35.18",
"1.35.2",
"1.35.20",
"1.35.21",
"1.35.22",
"1.35.23",
"1.35.26",
"1.35.28",
"1.35.3",
"1.35.31",
"1.35.32",
"1.35.35",
"1.35.36",
"1.35.38",
"1.35.5",
"1.35.7",
"1.35.8",
"1.36.0",
"1.36.1",
"1.36.2",
"1.36.4",
"1.37.0",
"1.37.12",
"1.37.14",
"1.37.16",
"1.37.19",
"1.37.2",
"1.37.20",
"1.37.3",
"1.37.7",
"1.37.9",
"1.38.0",
"1.38.1",
"1.38.10",
"1.38.11",
"1.38.12",
"1.38.3",
"1.38.4",
"1.38.5",
"1.38.7",
"1.38.8",
"1.39.2",
"1.39.3",
"1.39.4",
"1.39.5",
"1.39.5.dev1",
"1.39.6",
"1.4.0",
"1.40.0",
"1.40.0.dev1",
"1.40.1",
"1.40.1.dev1",
"1.40.10",
"1.40.11",
"1.40.12",
"1.40.13",
"1.40.14",
"1.40.15",
"1.40.16",
"1.40.17",
"1.40.19",
"1.40.2",
"1.40.20",
"1.40.21",
"1.40.22",
"1.40.24",
"1.40.25",
"1.40.26",
"1.40.27",
"1.40.28",
"1.40.29",
"1.40.3",
"1.40.31",
"1.40.4",
"1.40.5",
"1.40.6",
"1.40.7",
"1.40.8",
"1.40.9",
"1.41.0",
"1.41.1",
"1.41.11",
"1.41.12",
"1.41.13",
"1.41.14",
"1.41.15",
"1.41.15.dev2",
"1.41.17",
"1.41.18",
"1.41.19",
"1.41.2",
"1.41.20",
"1.41.21",
"1.41.22",
"1.41.23",
"1.41.24",
"1.41.25",
"1.41.26",
"1.41.27",
"1.41.28",
"1.41.3",
"1.41.4",
"1.41.5",
"1.41.6",
"1.41.7",
"1.41.8",
"1.42.0",
"1.42.1",
"1.42.10",
"1.42.11",
"1.42.12",
"1.42.2",
"1.42.3",
"1.42.4",
"1.42.5",
"1.42.6",
"1.42.7",
"1.42.8",
"1.42.9",
"1.43.0",
"1.43.1",
"1.43.10",
"1.43.12",
"1.43.13",
"1.43.15",
"1.43.16",
"1.43.17",
"1.43.18",
"1.43.19",
"1.43.2",
"1.43.3",
"1.43.4",
"1.43.5",
"1.43.6",
"1.43.7",
"1.43.9",
"1.44.1",
"1.44.10",
"1.44.11",
"1.44.12",
"1.44.13",
"1.44.14",
"1.44.15",
"1.44.16",
"1.44.17",
"1.44.18",
"1.44.19",
"1.44.2",
"1.44.21",
"1.44.22",
"1.44.23",
"1.44.24",
"1.44.25",
"1.44.26",
"1.44.27",
"1.44.28",
"1.44.3",
"1.44.4",
"1.44.5",
"1.44.6",
"1.44.7",
"1.44.8",
"1.44.9",
"1.45.0",
"1.46.0",
"1.46.1",
"1.46.2",
"1.46.4",
"1.46.5",
"1.46.6",
"1.46.7",
"1.46.8",
"1.47.0",
"1.47.1",
"1.47.2",
"1.48.0",
"1.48.1",
"1.48.10",
"1.48.11",
"1.48.12",
"1.48.14",
"1.48.15",
"1.48.16",
"1.48.17",
"1.48.18",
"1.48.19",
"1.48.2",
"1.48.3",
"1.48.4",
"1.48.5",
"1.48.6",
"1.48.7",
"1.48.8",
"1.48.9",
"1.49.0",
"1.49.1",
"1.49.2",
"1.49.3",
"1.49.4",
"1.49.5",
"1.49.6",
"1.49.7",
"1.50.0",
"1.50.1",
"1.50.2",
"1.50.4",
"1.51.0",
"1.51.1",
"1.51.2",
"1.51.3",
"1.52.0",
"1.52.1",
"1.52.10",
"1.52.11",
"1.52.12",
"1.52.14",
"1.52.15",
"1.52.16",
"1.52.2",
"1.52.3",
"1.52.4",
"1.52.5",
"1.52.6",
"1.52.8",
"1.52.9",
"1.53.1",
"1.53.1.dev1",
"1.53.2",
"1.53.3",
"1.53.4",
"1.53.5",
"1.53.6",
"1.53.7",
"1.53.8",
"1.53.9",
"1.54.0",
"1.54.1",
"1.55.0",
"1.55.1",
"1.55.10",
"1.55.11",
"1.55.12",
"1.55.2",
"1.55.3",
"1.55.4",
"1.55.6",
"1.55.7",
"1.55.8",
"1.55.9",
"1.56.10",
"1.56.2",
"1.56.3",
"1.56.4",
"1.56.5",
"1.56.6",
"1.56.8",
"1.56.8.dev4",
"1.56.8.dev5",
"1.56.8.dev6",
"1.56.8.dev7",
"1.56.9",
"1.57.0",
"1.57.1",
"1.57.10",
"1.57.11",
"1.57.2",
"1.57.3",
"1.57.4",
"1.57.5",
"1.57.7",
"1.57.7.dev1",
"1.57.8",
"1.58.0",
"1.58.1",
"1.58.2",
"1.58.4",
"1.59.0",
"1.59.1",
"1.59.1.dev1",
"1.59.10",
"1.59.10.dev1",
"1.59.12",
"1.59.2",
"1.59.3",
"1.59.5",
"1.59.6",
"1.59.7",
"1.59.8",
"1.59.9",
"1.6.0",
"1.60.0",
"1.60.2",
"1.60.4",
"1.60.5",
"1.60.6",
"1.60.7",
"1.60.8",
"1.60.9",
"1.61.0",
"1.61.0.dev1",
"1.61.1",
"1.61.11",
"1.61.13",
"1.61.15",
"1.61.16",
"1.61.17",
"1.61.19",
"1.61.2",
"1.61.20",
"1.61.3",
"1.61.4",
"1.61.5",
"1.61.6",
"1.61.7",
"1.61.8",
"1.61.9",
"1.62.1",
"1.62.4",
"1.63.0",
"1.63.0.dev12",
"1.63.11",
"1.63.11.dev1",
"1.63.12",
"1.63.14",
"1.63.2",
"1.63.3",
"1.63.4.dev1",
"1.63.5",
"1.63.6",
"1.63.7",
"1.63.8",
"1.64.1",
"1.65.0",
"1.65.0.post1",
"1.65.1",
"1.65.3",
"1.65.4",
"1.65.4.post1",
"1.65.5",
"1.65.6",
"1.65.7",
"1.65.8",
"1.66.0",
"1.66.1",
"1.66.2",
"1.66.3",
"1.67.0",
"1.67.0.post1",
"1.67.1",
"1.67.2",
"1.67.4",
"1.67.4.dev1",
"1.67.4.post1",
"1.67.5",
"1.67.6",
"1.68.0",
"1.68.1",
"1.68.1.dev1",
"1.68.2",
"1.69.0",
"1.69.1",
"1.69.2",
"1.69.3",
"1.7.1",
"1.7.11",
"1.7.12",
"1.7.2",
"1.7.3",
"1.7.4",
"1.7.5",
"1.7.6",
"1.7.7",
"1.7.8",
"1.7.9",
"1.70.0",
"1.70.2",
"1.70.4",
"1.71.0",
"1.71.1",
"1.71.2",
"1.71.3",
"1.72.0",
"1.72.1",
"1.72.2",
"1.72.2.post1",
"1.72.3",
"1.72.4",
"1.72.5.dev1",
"1.72.5.dev2",
"1.72.5.dev3",
"1.72.6",
"1.72.6.post1",
"1.72.6.post2",
"1.72.7",
"1.72.7.dev1",
"1.72.7.dev7",
"1.72.9",
"1.73.0",
"1.73.0.post1",
"1.73.0rc1",
"1.73.1",
"1.73.2",
"1.73.6",
"1.73.6.post1",
"1.73.6rc2",
"1.73.7",
"1.73.7.dev1",
"1.73.7.dev2",
"1.73.7.dev3",
"1.73.7.dev4",
"1.74.0",
"1.74.0.post1",
"1.74.0.post2",
"1.74.1",
"1.74.12",
"1.74.14",
"1.74.15",
"1.74.15.post1",
"1.74.15.post2",
"1.74.2",
"1.74.3",
"1.74.3.post1",
"1.74.3rc1",
"1.74.3rc2",
"1.74.3rc3",
"1.74.4",
"1.74.4.dev1",
"1.74.6",
"1.74.7",
"1.74.7.post1",
"1.74.7.post2",
"1.74.7rc1",
"1.74.8",
"1.74.8.dev2",
"1.74.9",
"1.74.9.dev1",
"1.74.9.dev2",
"1.74.9.post1",
"1.74.9.post2",
"1.75.0",
"1.75.2",
"1.75.3",
"1.75.4",
"1.75.5.post1",
"1.75.5.post2",
"1.75.6",
"1.75.7",
"1.75.8",
"1.75.9",
"1.76.0",
"1.76.1",
"1.76.2",
"1.76.3",
"1.77.0",
"1.77.1",
"1.77.2.post1",
"1.77.3",
"1.77.4",
"1.77.4.dev1",
"1.77.5",
"1.77.7",
"1.78.0",
"1.78.0rc2",
"1.78.2",
"1.78.3",
"1.78.4",
"1.78.5",
"1.78.6",
"1.78.7",
"1.79.0",
"1.79.0.dev1",
"1.79.0.dev2",
"1.79.0.dev3",
"1.79.1",
"1.79.2",
"1.79.3",
"1.79.3.dev8",
"1.8.1",
"1.80.0",
"1.80.10",
"1.80.11",
"1.80.12",
"1.80.13",
"1.80.15",
"1.80.16",
"1.80.17",
"1.80.5",
"1.80.6",
"1.80.7",
"1.80.8",
"1.80.9",
"1.81.0",
"1.81.1",
"1.81.10",
"1.81.11",
"1.81.12",
"1.81.13",
"1.81.14",
"1.81.15",
"1.81.16",
"1.81.3",
"1.81.4",
"1.81.5",
"1.81.6",
"1.81.7",
"1.81.8",
"1.81.9",
"1.81.9.dev1",
"1.82.0",
"1.82.1",
"1.82.2",
"1.82.3",
"1.82.4",
"1.82.5",
"1.82.6",
"1.83.0",
"1.83.1",
"1.83.10",
"1.83.11",
"1.83.12",
"1.83.13",
"1.83.2",
"1.83.3",
"1.83.4",
"1.83.5",
"1.83.6",
"1.83.7",
"1.83.8",
"1.83.9",
"1.9.0",
"1.9.1",
"1.9.2",
"1.9.3",
"1.9.4",
"1.9.5",
"1.9.dev0"
]
}
],
"aliases": [
"CVE-2026-47101",
"GHSA-qrc4-49gv-mv9m"
],
"details": "LiteLLM prior to 1.83.14 allows an authenticated internal_user to create API keys with access to routes that their role does not permit. When generating a key, the allowed_routes field is stored without verifying that the specified routes fall within the user\u0027s own permissions. A key created with access to admin-only routes can then be used to reach those routes successfully, bypassing the role-based access controls that would otherwise block the request, enabling full privilege escalation from internal_user to proxy_admin.",
"id": "PYSEC-2026-2598",
"modified": "2026-07-13T16:04:36.428784Z",
"published": "2026-07-13T15:19:10.943370Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-47101"
},
{
"type": "WEB",
"url": "https://github.com/BerriAI/litellm/commit/2220f3076ac89bd2a2e3439acf57dcfbec2434c9"
},
{
"type": "WEB",
"url": "https://github.com/BerriAI/litellm/commit/5190bd07eb23a037745d86328096f54378f1614a"
},
{
"type": "WEB",
"url": "https://github.com/BerriAI/litellm/commit/d910a95661fce3cdd36f3b06c03ecf9c46c6457c"
},
{
"type": "WEB",
"url": "https://gist.github.com/13ph03nix/9ec616e1fdc77b3673509c60206e827f"
},
{
"type": "PACKAGE",
"url": "https://github.com/BerriAI/litellm"
},
{
"type": "WEB",
"url": "https://github.com/BerriAI/litellm/releases/tag/v1.83.14-stable"
},
{
"type": "WEB",
"url": "https://huntr.com/bounties/8e75edfb-ff05-4e63-bfca-2d93d03fb3b9"
},
{
"type": "WEB",
"url": "https://www.obsidiansecurity.com/blog/litellm-privilege-escalation-rce"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/litellm-privilege-escalation-via-api-key-generation"
},
{
"type": "PACKAGE",
"url": "https://pypi.org/project/litellm"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-qrc4-49gv-mv9m"
}
],
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "LiteLLM allows an authenticated internal_user to create API keys with access to routes that their role does not permit"
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.