今日已更新 80 条资讯 | 累计 20052 条内容
关于我们

LiteLLM Vulnerability Chain Enables Full AI Gateway Takeover from Default Account

Etairos.ai 2026年06月16日 03:01 4 次阅读 来源:Dev.to

TL;DR what: Three chained vulnerabilities in LiteLLM AI gateway allow default low-privilege users to bypass authorization, escalate to admin, and execute arbitrary code on the server. impact: Full compromise exposes every provider API key (OpenAI, Anthropic, Azure, etc.), database credentials, decryption secrets, and all prompts and responses passing through the gateway. fix: Upgrade immediately to LiteLLM v1.83.14-stable or later, which includes complete fixes for CVE-2026-47101, CVE-2026-47102, and CVE-2026-40217. who: Any organization running LiteLLM proxy to broker AI model access, especially those with internal users or agents routing through the gateway. A critical vulnerability chain in LiteLLM, a widely deployed open-source AI gateway, allows attackers starting from a default low-privilege account to achieve full server takeover and code execution. Obsidian Security researchers disclosed the three-bug chain rated CVSS 9.9, with maintainer BerriAI shipping complete fixes in version 1.83.14-stable on May 2, 2026. LiteLLM brokers API calls to more than 100 AI model providers—OpenAI, Anthropic, Google Gemini, AWS Bedrock, Azure OpenAI, and others—behind a single OpenAI-compatible interface. Organizations deploy it as a central gateway to manage costs, enforce policies, and route requests across multiple backends. That centralized position makes it a high-value target: a compromised proxy exposes every provider key it holds, the secrets that decrypt stored credentials, and every prompt and response flowing through it. The Three-Link Chain The attack begins with CVE-2026-47101, an authorization bypass. When a regular internal_user creates a virtual API key, LiteLLM stores the caller-supplied allowed_routes field without validating it against the user's role. This field is intended to restrict what the key can access, but the proxy also treats it as a fallback authorization grant. An attacker can mint a key with allowed_routes: ["/*"], a wildcard that opens every r

本文内容来源于互联网,版权归原作者所有
查看原文