CVE-2026-47101
EUVD-2026-3134621.05.2026, 21:16
LiteLLM prior to 1.83.14 allows an authenticated internal_user to create API keys with access to routes that their role does not permit. When generating a key, the allowed_routes field is stored without verifying that the specified routes fall within the user's own permissions. A key created with access to admin-only routes can then be used to reach those routes successfully, bypassing the role-based access controls that would otherwise block the request, enabling full privilege escalation from internal_user to proxy_admin.Enginsight
Affected Products (NVD)
| Vendor | Product | Version |
|---|---|---|
| litellm | litellm | 𝑥 < 1.83.14 |
𝑥
= Vulnerable software versions
Common Weakness Enumeration
- CWE-863 - Incorrect AuthorizationThe software performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.
- CWE-639 - Authorization Bypass Through User-Controlled KeyThe system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
References