Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from Vendor (vulncheck).
CVSS VectorVendor: vulncheck
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3Blast Radius
ecosystem impact- 23 pypi packages depend on litellm (16 direct, 7 indirect)
Ecosystem-wide dependent count for version 1.83.14.
DescriptionCVE.org
LiteLLM prior to 1.83.14 allows an authenticated internal_user to create API keys with access to routes that their role does not permit. When generating a key, the allowed_routes field is stored without verifying that the specified routes fall within the user's own permissions. A key created with access to admin-only routes can then be used to reach those routes successfully, bypassing the role-based access controls that would otherwise block the request, enabling full privilege escalation from internal_user to proxy_admin.
AnalysisAI
Privilege escalation in LiteLLM proxy versions prior to 1.83.14 allows an authenticated internal_user to elevate to proxy_admin by generating an API key with an attacker-controlled allowed_routes field that grants access to admin-only endpoints. Because the key-generation handler did not verify that the requested routes fell within the caller's own role permissions, the resulting key successfully reaches admin routes and bypasses role-based access control. Publicly available exploit code exists via a Huntr bounty disclosure and gist, and the upstream commits are merged in the v1.83.14-stable release.
Technical ContextAI
LiteLLM is an open-source LLM proxy/gateway (BerriAI/litellm) that brokers requests to multiple model providers and ships a management API for keys, users, and routes. The flaw is a CWE-863 Incorrect Authorization in litellm/proxy/management_endpoints/key_management_endpoints.py: the generate-key and regenerate-key flows accepted an allowed_routes parameter on the request body without checking that those routes were a subset of the caller's role. Because RouteChecks.non_proxy_admin_allowed_routes_check treats an explicit allowed_routes value as an override of the standard role gate, an internal_user could embed admin-only route buckets (e.g. management_routes) and the proxy would later honor them. The patch introduces _check_allowed_routes_caller_permission and _check_passthrough_routes_caller_permission, restricts the override to a safe preset list (llm_api_routes, info_routes), and re-checks after handle_key_type so derived buckets cannot smuggle elevated access.
RemediationAI
Vendor-released patch: upgrade LiteLLM to 1.83.14-stable or later (https://github.com/BerriAI/litellm/releases/tag/v1.83.14-stable), which adds caller-permission checks for allowed_routes and allowed_passthrough_routes in generate_key_fn, the update path, and regenerate_key_fn (commits 2220f3076ac89bd2a2e3439acf57dcfbec2434c9, 5190bd07eb23a037745d86328096f54378f1614a, d910a95661fce3cdd36f3b06c03ecf9c46c6457c). Until the upgrade can be rolled out, restrict the /key/generate, /key/update, and /key/regenerate management endpoints so they are reachable only by proxy_admin accounts (for example via an upstream reverse proxy ACL or network policy), revoke or rotate any keys created by internal_user accounts since deployment, and audit existing keys for unexpected allowed_routes or metadata.allowed_passthrough_routes values; the trade-off is that legitimate internal_user self-service key issuance will be blocked until the patch is applied. Avoid disabling key management entirely if downstream integrations rely on it - prefer the proxy-level allow-list above.
SQL injection in LiteLLM proxy server versions 1.81.16 through 1.83.6 allows unauthenticated remote attackers to read an
Remote command execution in LiteLLM proxy server versions 1.74.2 through 1.83.6 allows any authenticated user to execute
BerriAI/litellm is vulnerable to Server-Side Template Injection (SSTI) via the `/completions` endpoint. Rated critical s
Remote code execution in BerriAI LiteLLM (all versions through 2026-04-08) enables authenticated attackers to execute ar
BerriAI's litellm, in its latest version, is vulnerable to arbitrary file deletion due to improper input validation on t
In berriai/litellm version v1.52.1, an issue in proxy_server.py causes the leakage of Langfuse API keys when an error oc
In berriai/litellm before version 1.44.12, the `litellm/litellm_core_utils/litellm_logging.py` file contains a vulnerabi
A Server-Side Request Forgery (SSRF) vulnerability exists in berriai/litellm version 1.38.10. Rated high severity (CVSS
An SQL Injection vulnerability exists in the berriai/litellm repository, specifically within the `/global/spend/logs` en
A code injection vulnerability exists in the berriai/litellm application, version 1.34.6, due to the use of unvalidated
berriai/litellm version 1.34.34 is vulnerable to improper access control in its team management functionality. Rated med
BerriAI/litellm version v1.35.8 contains a vulnerability where an attacker can achieve remote code execution. Rated crit
Same weakness CWE-863 – Incorrect Authorization
View allSame technique Authentication Bypass
View allVendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31346
GHSA-qrc4-49gv-mv9m