CVE-2026-47101 HIGH

CVE-2026-47101: LiteLLM < 1.83.14 Privilege Escalation via API Key Generation

Vendor Berriai
Product litellm
Weakness CWE-863 · Incorrect authorization
Published May 21, 2026
Last update June 30, 2026
View on NVD All CVEs

CVSS base score

8.7/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

LiteLLM prior to 1.83.14 allows an authenticated internal_user to create API keys with access to routes that their role does not permit. When generating a key, the allowed_routes field is stored without verifying that the specified routes fall within the user's own permissions. A key created with access to admin-only routes can then be used to reach those routes successfully, bypassing the role-based access controls that would otherwise block the request, enabling full privilege escalation from internal_user to proxy_admin.

Key dates

02Disclosure timeline

May 21, 2026 CVE published
June 30, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2017-18095 CVE-2026-41233 Froxlor has a Reseller Domain Quota Bypass via Unvalidated adminid Parameter in Domains.add() CVE-2025-12621 Flexible Refund and Return Order for WooCommerce <= 1.0.42 - Incorrect Authorization to Authenticated (Contributor+) Refund Status Update CVE-2026-46362 phpMyFAQ - Authorization Bypass in Admin Pages via Non-Terminating Permission Check CVE-2026-39852 Quarkus authorization bypass via semicolon path normalization inconsistency