CVE-2026-47101
Privilege Escalation in LiteLLM via API Key Misconfiguration
Publication date: 2026-05-21
Last updated on: 2026-05-21
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| litellm | litellm | to 1.83.14 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-863 | The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in LiteLLM versions prior to 1.83.14 and allows an authenticated internal user to create API keys that grant access to routes beyond their assigned permissions.
When generating an API key, the system does not verify whether the specified allowed routes fall within the user's own role permissions.
As a result, a user can create a key with access to admin-only routes and use it to bypass role-based access controls, effectively escalating their privileges from an internal user to a proxy administrator.
How can this vulnerability impact me? :
This vulnerability can lead to full privilege escalation, allowing an internal user to gain unauthorized administrative access.
An attacker exploiting this flaw could perform actions reserved for administrators, potentially compromising the confidentiality, integrity, and availability of the system.
This could result in unauthorized data access, modification, or deletion, as well as disruption of services.