What is the CVSS score of CVE-2026-40217?

CVE-2026-40217 has a CVSS 3.1 base score of 8.8 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.2%.

Which versions of Litellm are affected by CVE-2026-40217?

BerriAI LiteLLM versions through April 8, 2026 contain a remote code execution vulnerability in its guardrails testing functionality that allows authenticated users to execute arbitrary code and…. A patch is available.

Is there a public PoC exploit available for CVE-2026-40217?

Yes, a public proof-of-concept exploit is available for CVE-2026-40217. Prioritise patching immediately. EPSS: 0.2%.

How to fix or mitigate CVE-2026-40217?

Within 24 hours: Inventory all BerriAI LiteLLM deployments and identify instances running versions through 2026-04-08; restrict network access to the /guardrails/test_custom_code endpoint to authorized administrators only via firewall or API gateway rules. Within 7 days: Disable the guardrails testing functionality entirely if not operationally required, or implement application-level access controls limiting endpoint usage to administrative accounts; monitor logs for suspicious activity on this endpoint. Within 30 days: Evaluate vendor security roadmap and timeline for patched releases; prepare migration plan to patched version once available; consider alternative LLM guardrail solutions if vendor patch timeline extends beyond acceptable risk window.

Litellm CVE-2026-40217

EUVD-2026-21376 HIGH

Unprotected Alternate Channel (CWE-420)

2026-04-10 mitre

GHSA-3926-2jvf-fg29

GHSA-wxxx-gvqv-xp7p

RCE Litellm

8.8

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

8.8 HIGH

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Red Hat

8.8 HIGH

qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Re-analysis Queued

Apr 27, 2026 - 23:07 vuln.today

cvss_changed

EUVD ID Assigned

Apr 10, 2026 - 14:15 euvd

EUVD-2026-21376

Analysis Generated

Apr 10, 2026 - 14:15 vuln.today

CVE Published

Apr 10, 2026 - 13:43 nvd

HIGH 8.8

Blast Radius

ecosystem impact

† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth

2 pypi packages depend on litellm (2 direct, 0 indirect)

Ecosystem-wide dependent count for version 1.81.8.

DescriptionCVE.org

LiteLLM through 2026-04-08 allows remote attackers to execute arbitrary code via bytecode rewriting at the /guardrails/test_custom_code URI.

AnalysisAI

Remote code execution in BerriAI LiteLLM (all versions through 2026-04-08) enables authenticated attackers to execute arbitrary code by exploiting bytecode rewriting functionality at the /guardrails/test_custom_code endpoint. The vulnerability requires low-privilege authentication (PR:L) but permits complete system compromise with high impact to confidentiality, integrity, and availability. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Authenticate to LiteLLM application

Delivery

Access /guardrails/test_custom_code endpoint

Exploit

Submit malicious bytecode payload

Execution

Rewrite and execute arbitrary code

Impact

Achieve remote code execution with full privileges

Access

Authenticate to LiteLLM application

Delivery

Access /guardrails/test_custom_code endpoint

Exploit

Submit malicious bytecode payload

Execution

Rewrite and execute arbitrary code

Impact

Achieve remote code execution with full privileges

Vulnerability AssessmentAI

Exploitation	Authenticated user access required to LiteLLM through 2026-04-08. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	CVSS 8.8 high severity RCE affecting authenticated LiteLLM users via bytecode rewriting at /guardrails/test_custom_code. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	Authenticated attacker submits malicious Python bytecode to /guardrails/test_custom_code endpoint. LiteLLM processes and executes bytecode without proper validation, achieving remote code execution on the server. …
Remediation	Upstream fix available (PR/commit); released patched version not independently confirmed. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all BerriAI LiteLLM deployments and identify instances running versions through 2026-04-08; restrict network access to the /guardrails/test_custom_code endpoint to authorized administrators only via firewall or API gateway rules. …

Threat intelligence, references, and detailed analysis are available after sign-in.

Vendor StatusVendor

CVE-2026-40217 vulnerability details – vuln.today

Back

Litellm CVE-2026-40217

Severity by source

CVSS VectorNVD

Lifecycle Timeline

Blast Radius

DescriptionCVE.org

AnalysisAI

Unlock full vulnerability intelligence

Attack ChainAIDerived

Vulnerability AssessmentAI

Recommended ActionAI

Vendor StatusVendor

Share

External POC / Exploit Code