CVE-2026-35029
HIGH
GHSA-53mr-6c8q-9789
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3Description
### Impact The `/config/update endpoint` does not enforce admin role authorization. A user who is already authenticated into the platform can then use this endpoint to do the following: - Modify proxy configuration and environment variables - Register custom pass-through endpoint handlers pointing to attacker-controlled Python code, achieving remote code execution - Read arbitrary server files by setting UI_LOGO_PATH and fetching via /get_image - Take over other priveleged accounts by overwriting UI_USERNAME and UI_PASSWORD environment variables ### Patches Fixed in v1.83.0. The endpoint now requires `proxy_admin` role. ### Workarounds Restrict API key distribution. There is no configuration-level workaround.
Analysis
Remote code execution in BerriAI LiteLLM (pkg:pip/litellm) prior to v1.83.0 allows authenticated users without admin privileges to execute arbitrary Python code, modify proxy configuration, read server files, and hijack privileged accounts via an improperly protected /config/update endpoint. Authentication requirements not confirmed from available data. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Inventory all BerriAI LiteLLM instances and document versions in use; immediately disable or restrict network access to the /config/update endpoint. Within 7 days: Upgrade to LiteLLM v1.83.0 or later once patch validation is confirmed in your environment; apply network segmentation to limit endpoint exposure. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today