Breaking LiteLLM: From Low-Privilege User to Admin and RCE (www.obsidiansecurity.com)

Security researchers from Obsidian Security revealed critical vulnerabilities in LiteLLM, an open-source AI gateway, forming a dangerous exploit chain with a CVSS score of 9.9. The vulnerabilities allow a low-privilege user to gain administrative access and execute arbitrary code on the LiteLLM server. Key issues include misconfigurations in the route permissions system, which permit non-administrative users to mint keys with access to sensitive admin-only routes. Furthermore, endpoints running user code with inadequate protections expose the system to remote code execution (RCE), potentially compromising the entire AI infrastructure that relies on LiteLLM. The significance of these findings is profound for the AI/ML community, as LiteLLM is positioned as a critical component in AI operations, managing interactions with multiple LLM providers. If exploited, an attacker could manipulate AI agents' outputs or command execution flows, leading to unauthorized access to external tools and sensitive data. Following responsible disclosure, BerriAI addressed these vulnerabilities in LiteLLM v1.83.14-stable, released on April 25, 2026, emphasizing the urgent need for vigilant security practices in AI infrastructure development, especially as old web vulnerabilities continue to resurface in newer AI technologies.