Obsidian Security: a three-CVE chain turns any LiteLLM user into root on the AI gateway
From CTI Daily Brief — 2026-06-16 · published 2026-06-16 · view item permalink →
Obsidian Security published a privilege-escalation-to-RCE chain in LiteLLM (BerriAI), the widely self-hosted AI gateway that proxies 100+ LLM providers behind one OpenAI-compatible API (Obsidian Security, 2026-06-15; The Hacker News, 2026-06-15). The chain: CVE-2026-47101 (authorization bypass) — the key-generation endpoint accepts a caller-supplied allowed_routes without checking the caller's role, so an internal_user can mint a key reaching admin routes; CVE-2026-47102 (privilege escalation) — /user/update lacks field-level authorization, letting any authenticated user set their own user_role to proxy_admin; CVE-2026-40217 (RCE) — the Custom Code Guardrails feature runs attacker-supplied Python via exec() with __builtins__ available, giving arbitrary code execution. VulnCheck scores CVE-2026-47102 at CVSS 8.8 (3.1), and Obsidian rates the chained impact CVSS 9.9; chained, a default low-privilege account reaches the master key, the salt key decrypting stored secrets, the database URL and every configured provider API key — and can rewrite responses delivered to downstream AI agents ("man-in-the-gateway"). Fixed in v1.83.14-stable, but Obsidian reports broad under-deployment of the fix. Mapped to T1078, T1548 and T1059.006.
Why it matters to us: Swiss/EU public-sector and research bodies increasingly centralise AI workflows on a gateway proxy; a compromised LiteLLM is both a credential-theft and an agent-manipulation vector. Pin LiteLLM to ≥1.83.14, keep admin endpoints off the internet, store provider keys in a secrets manager, and rotate all provider keys if any pre-1.83.14 instance was reachable by untrusted users.