CVE-2026-35029
Authorization Bypass in LiteLLM Proxy Enables Remote Code Execution
Publication date: 2026-04-06
Last updated on: 2026-04-29
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| litellm | litellm | to 1.83.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-863 | The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. |
Attack-Flow Graph
AI Powered Q&A
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade LiteLLM to version 1.83.0 or later, where the /config/update endpoint enforces the proxy_admin role authorization.
Until the upgrade can be applied, restrict the distribution of API keys to trusted users only, as any authenticated user can exploit this vulnerability.
There are no configuration-level workarounds available, so controlling access and upgrading are critical.
Can you explain this vulnerability to me?
CVE-2026-35029 is a high-severity privilege escalation vulnerability in the litellm Python package versions prior to 1.83.0. The vulnerability exists because the /config/update API endpoint does not enforce admin role authorization.
This means that any user who is already authenticated can exploit this endpoint to modify proxy configurations and environment variables.
An attacker can register custom pass-through endpoint handlers that execute attacker-controlled Python code, leading to remote code execution.
Additionally, the attacker can read arbitrary server files by setting the UI_LOGO_PATH environment variable and fetching files via the /get_image endpoint.
The attacker can also take over privileged accounts by overwriting UI_USERNAME and UI_PASSWORD environment variables.
This vulnerability was fixed in litellm version 1.83.0 by requiring the proxy_admin role for access to the /config/update endpoint.
How can this vulnerability impact me? :
This vulnerability can have severe impacts if exploited.
- Attackers can achieve remote code execution on the server by registering malicious Python code handlers.
- Attackers can read arbitrary files on the server, potentially exposing sensitive information.
- Attackers can take over privileged accounts by overwriting environment variables related to usernames and passwords.
- Overall, this leads to a high impact on the confidentiality, integrity, and availability of the vulnerable system.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows an authenticated user to escalate privileges, execute arbitrary code remotely, read arbitrary server files, and take over privileged accounts by modifying environment variables. Such unauthorized access and control over sensitive data and system configurations can lead to violations of data protection and privacy regulations like GDPR and HIPAA, which require strict access controls and protection of personal and sensitive information.
Because the vulnerability enables reading arbitrary files and account takeover, it increases the risk of data breaches and unauthorized disclosure of protected health information or personal data, which are critical compliance concerns under these standards.
Mitigation requires upgrading to version 1.83.0 or later, which enforces admin role authorization on the vulnerable endpoint, helping to restore compliance by restricting unauthorized access.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring access to the /config/update endpoint on the LiteLLM proxy server. Since the endpoint does not enforce admin role authorization prior to version 1.83.0, any authenticated user accessing this endpoint could indicate exploitation attempts.
You can check server logs for unusual or unauthorized POST requests to /config/update from authenticated users.
Additionally, look for suspicious changes in environment variables such as UI_LOGO_PATH, UI_USERNAME, and UI_PASSWORD, or the registration of custom pass-through endpoint handlers.
Suggested commands to detect potential exploitation attempts include:
- Use grep or similar tools to search logs for access to /config/update, e.g., `grep "/config/update" /var/log/litellm/access.log`
- Check for recent changes in environment variables or configuration files related to LiteLLM.
- Monitor network traffic for POST requests to /config/update from authenticated users.