Vulnerabilities ›

CVE-2026-35029

High

CWE-863 — Weakness Type

                    Published: Apr 6, 2026                      ·  Modified: Apr 13, 2026                      ·  Source: NVD                

CVSS v3

8.8

🔗 NVD Official

📄 Description (English)

LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. Prior to 1.83.0, the /config/update endpoint does not enforce admin role authorization. A user who is already authenticated into the platform can then use this endpoint to modify proxy configuration and environment variables, register custom pass-through endpoint handlers pointing to attacker-controlled Python code, achieving remote code execution, read arbitrary server files by setting UI_LOGO_PATH and fetching via /get_image, and take over other privileged accounts by overwriting UI_USERNAME and UI_PASSWORD environment variables. Fixed in v1.83.0.

🤖 AI Executive Summary

CVE-2026-35029 is a critical authorization bypass vulnerability in LiteLLM versions prior to 1.83.0 affecting the /config/update endpoint. An authenticated attacker can modify proxy configurations, execute arbitrary Python code, read sensitive files, and hijack administrative accounts without requiring admin privileges. This poses severe risk to organizations using LiteLLM as an AI Gateway, particularly those integrating with enterprise LLM services.

📄 Description (Arabic)

🤖 AI Intelligence Analysis Analyzed: Apr 23, 2026 07:39

🇸🇦 Saudi Arabia Impact Assessment

Saudi organizations leveraging LiteLLM for AI Gateway services face critical risk, particularly: (1) Financial sector (SAMA-regulated banks, fintech) using LLM APIs for customer service and fraud detection; (2) Government agencies (NCA, CITC) deploying AI solutions for digital transformation; (3) Healthcare providers integrating LLM for medical records and diagnostics; (4) Energy sector (ARAMCO, utilities) using AI for operational optimization; (5) Telecom operators (STC, Mobily) implementing LLM-based customer support. The vulnerability enables complete system compromise, data exfiltration, and lateral movement within enterprise networks.

🏢 Affected Saudi Sectors

Banking and Financial Services Government and Public Administration Healthcare and Medical Services Energy and Utilities Telecommunications Technology and Software Development E-commerce and Retail

🎯 MITRE ATT&CK Techniques

T1190 - Exploit Public-Facing Application T1078 - Valid Accounts (abuse of authenticated access) T1548 - Abuse Elevation Control Mechanism (privilege escalation) T1098 - Account Manipulation (credential hijacking) T1059 - Command and Scripting Interpreter (Python code execution) T1083 - File and Directory Discovery (arbitrary file read) T1005 - Data from Local System (sensitive file exfiltration) T1021 - Remote Service Session Initiation (RCE via custom handlers) T1562 - Impair Defenses (disable security controls via config modification)

⚖️ Saudi Risk Score (AI)

9.2

/ 10.0

🔧 Remediation Steps (English)

IMMEDIATE ACTIONS:

1. Upgrade LiteLLM to version 1.83.0 or later immediately

2. Audit all /config/update endpoint access logs for unauthorized modifications

3. Review environment variables and proxy configurations for unauthorized changes

4. Reset all UI_USERNAME and UI_PASSWORD credentials

5. Inspect custom endpoint handlers for malicious code



PATCHING GUIDANCE:

- Deploy v1.83.0+ across all LiteLLM instances

- Test in staging environment before production deployment

- Implement automated patching for future releases



COMPENSATING CONTROLS (if immediate patching delayed):

- Restrict /config/update endpoint access via WAF/reverse proxy to admin IPs only

- Implement strict role-based access control (RBAC) at application level

- Monitor /config/update endpoint for suspicious requests

- Disable custom endpoint handler registration if not required

- Implement API rate limiting on configuration endpoints



DETECTION RULES:

- Alert on POST requests to /config/update from non-admin users

- Monitor for environment variable modifications (UI_USERNAME, UI_PASSWORD, UI_LOGO_PATH)

- Detect custom endpoint handler registration attempts

- Flag unauthorized proxy configuration changes

- Monitor for Python code execution patterns in request payloads

🔧 خطوات المعالجة (العربية)

الإجراءات الفورية:

1. ترقية LiteLLM إلى الإصدار 1.83.0 أو أحدث فوراً

2. تدقيق جميع سجلات الوصول إلى نقطة نهاية /config/update للتعديلات غير المصرح بها

3. مراجعة متغيرات البيئة وتكوينات الوكيل للتغييرات غير المصرح بها

4. إعادة تعيين جميع بيانات اعتماد UI_USERNAME و UI_PASSWORD

5. فحص معالجات نقاط النهاية المخصصة للكود الضار



إرشادات التصحيح:

- نشر v1.83.0+ عبر جميع مثيلات LiteLLM

- الاختبار في بيئة التجريب قبل نشر الإنتاج

- تنفيذ التصحيح الآلي للإصدارات المستقبلية



الضوابط البديلة (إذا تأخر التصحيح الفوري):

- تقييد وصول نقطة نهاية /config/update عبر WAF/reverse proxy لعناوين IP الإدارية فقط

- تنفيذ التحكم في الوصول القائم على الأدوار (RBAC) على مستوى التطبيق

- مراقبة نقطة نهاية /config/update للطلبات المريبة

- تعطيل تسجيل معالج نقطة النهاية المخصصة إذا لم تكن مطلوبة

- تنفيذ تحديد معدل API على نقاط نهاية التكوين



قواعد الكشف:

- تنبيه على طلبات POST إلى /config/update من مستخدمين غير إداريين

- مراقبة تعديلات متغيرات البيئة (UI_USERNAME و UI_PASSWORD و UI_LOGO_PATH)

- كشف محاولات تسجيل معالج نقطة النهاية المخصصة

- وضع علم على تغييرات تكوين الوكيل غير المصرح بها

- مراقبة أنماط تنفيذ كود Python في حمولات الطلب

📋 Regulatory Compliance Mapping

🟢 NCA ECC 2024

ECC 2024 A.5.1.1 - Access Control Policy (authorization enforcement) ECC 2024 A.5.2.1 - User Registration and Access Management ECC 2024 A.5.3.1 - Password Management ECC 2024 A.6.1.1 - Information Security Roles and Responsibilities ECC 2024 A.8.2.1 - User Access Rights Review ECC 2024 A.12.4.1 - Event Logging ECC 2024 A.12.4.3 - Protection of Log Information

🔵 SAMA CSF

SAMA CSF 1.1 - Governance and Risk Management (authorization controls) SAMA CSF 2.1 - Asset Management (configuration management) SAMA CSF 3.1 - Access Control (role-based access enforcement) SAMA CSF 4.1 - Cryptography (credential protection) SAMA CSF 5.1 - Incident Management (detection and response) SAMA CSF 6.1 - Business Continuity (system integrity)

🟡 ISO 27001:2022

ISO 27001:2022 A.5.2 - Information Security Policies and Procedures ISO 27001:2022 A.6.1 - Organizational Controls (roles and responsibilities) ISO 27001:2022 A.8.1 - User Endpoint Devices ISO 27001:2022 A.8.2 - Privileged Access Rights ISO 27001:2022 A.8.3 - Information Access Restriction ISO 27001:2022 A.9.2 - User Access Management ISO 27001:2022 A.9.4 - Access Rights Review ISO 27001:2022 A.12.4 - Logging

🟣 PCI DSS v4.0.1

PCI DSS 2.1 - Default Security Parameters PCI DSS 6.2 - Security Patches PCI DSS 7.1 - Limit Access to System Components PCI DSS 8.1 - User Identification and Authentication PCI DSS 8.2 - User Access Control PCI DSS 10.2 - Implement Automated Audit Trails

🔗 References & Sources 1

🔗

https://github.com/BerriAI/litellm/security/advisories/GHSA-53mr-6c8q-9789

security-advisories@github.com

Vendor Advisory Mitigation

📦 Affected Products / CPE 1 entries

litellm:litellm

📊 CVSS Score

8.8

/ 10.0 — High

📊 CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack VectorN — None / Network

Attack ComplexityL — Low / Local

Privileges RequiredL — Low / Local

User InteractionN — None / Network

ScopeU — Unchanged

ConfidentialityH — High

IntegrityH — High

AvailabilityH — High

📋 Quick Facts

Severity High

CVSS Score8.8

CWECWE-863

EPSS0.17%

Exploit No

Patch ✗ No

Published 2026-04-06

Source Feed nvd

🇸🇦 Saudi Risk Score

9.2

/ 10.0 — Saudi Risk

Priority: CRITICAL

🏷️ Tags

CWE-863

🏢 Vendor Advisories

🔗 https://github.com/BerriAI/litellm/security/advisori...

⚡ Actions

🔗 NVD Official Page ⚡ Exploit-DB Search 🐙 GitHub PoC Search 🎯 MITRE ATT&CK 📊 CVE Details

💬 Comments

Loading comments

CVE-2026-35029

💬 Comments

Introduce Yourself

Sign In Required