CVE-2026-59820
Received Received - Intake

Path Traversal in LiteLLM via Malicious Skill Archive

Vulnerability report for CVE-2026-59820, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-08

Last updated on: 2026-07-08

Assigner: GitHub, Inc.

Description

LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. Prior to 1.83.7-stable, LiteLLM Skills archive extraction did not sufficiently validate file paths from uploaded skill ZIP archives, allowing an authenticated user with access to LiteLLM LLM API routes or a key whose allowed_routes includes /v1/skills, anthropic_routes, or llm_api_routes to upload a crafted skill archive containing path traversal entries that could be written outside the intended extraction or staging directory. This issue is fixed in version 1.83.7-stable.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-08
Last Modified
2026-07-08
Generated
2026-07-09
AI Q&A
2026-07-08
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
litellm litellm to 1.83.7-stable (inc)
berriai litellm to 1.83.7-stable (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-59820 is a path traversal vulnerability in LiteLLM versions prior to 1.83.7-stable. It occurs during the extraction of Skills archive ZIP files, where the file paths inside the archive are not properly validated.

An authenticated user with access to certain API routes (such as /v1/skills) can upload a specially crafted ZIP archive containing path traversal entries. These entries allow files to be written outside the intended extraction or staging directory.

This improper validation can lead to arbitrary file writes on the server, potentially enabling code execution depending on the deployment environment.

The issue is fixed in version 1.83.7-stable by adding strict path normalization and validation to ensure extracted files remain within the designated directories.

Impact Analysis

This vulnerability can allow an authenticated user to write files outside the intended directory on the server running LiteLLM.

Such arbitrary file writes can lead to unauthorized modification or creation of files, which may result in remote code execution or compromise of the system depending on how the server is configured.

If exploited, attackers could potentially gain control over the server or disrupt its normal operation.

To mitigate this risk, users should upgrade to LiteLLM version 1.83.7-stable or later, or temporarily restrict access to the vulnerable API endpoints.

Detection Guidance

This vulnerability involves path traversal in the extraction of Skills archive ZIP files uploaded via LiteLLM's API routes such as /v1/skills. Detection can focus on monitoring for suspicious ZIP archive uploads containing path traversal sequences (e.g., entries with ".." or absolute paths) targeting these API endpoints.

You can detect attempts by inspecting logs for uploads to the /v1/skills or related API routes and checking for ZIP files containing entries with path traversal patterns.

Example commands to inspect ZIP contents for path traversal entries on a system where uploads are stored or logged:

  • unzip -l suspicious_skill.zip | grep '\.\./'
  • zipinfo suspicious_skill.zip | grep '^/'

Additionally, monitoring network traffic or API access logs for unusual or unauthorized access to the /v1/skills endpoint or related routes can help detect exploitation attempts.

Mitigation Strategies

The primary mitigation is to upgrade LiteLLM to version 1.83.7-stable or later, where the vulnerability is fixed by validating and sanitizing file paths during skill archive extraction.

Until the upgrade can be applied, temporary mitigations include:

  • Blocking or restricting access to the /v1/skills API endpoint at the reverse proxy level.
  • Limiting access to the LiteLLM API routes involved (/v1/skills, anthropic_routes, llm_api_routes) to trusted authenticated users only.

These steps reduce the risk of malicious skill archive uploads exploiting path traversal to write files outside intended directories.

Compliance Impact

The vulnerability in LiteLLM allows an authenticated user to perform path traversal during skill archive extraction, potentially writing files outside the intended directory. This could lead to unauthorized file access or code execution depending on deployment.

Such unauthorized file writes and potential code execution could impact compliance with standards like GDPR or HIPAA, which require strict controls on data integrity, confidentiality, and system security.

If exploited, this vulnerability might allow attackers to access or manipulate sensitive data or system components, thereby violating regulatory requirements for data protection and system integrity.

Mitigation by upgrading to version 1.83.7-stable or restricting access to trusted users helps reduce the risk and supports compliance efforts.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-59820. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart