Vulnerability Description
LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. Prior to 1.83.0, the /config/update endpoint does not enforce admin role authorization. A user who is already authenticated into the platform can then use this endpoint to modify proxy configuration and environment variables, register custom pass-through endpoint handlers pointing to attacker-controlled Python code, achieving remote code execution, read arbitrary server files by setting UI_LOGO_PATH and fetching via /get_image, and take over other privileged accounts by overwriting UI_USERNAME and UI_PASSWORD environment variables. Fixed in v1.83.0.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Litellm | Litellm | < 1.83.0 |
Related Weaknesses (CWE)
References
- https://github.com/BerriAI/litellm/security/advisories/GHSA-53mr-6c8q-9789MitigationVendor Advisory
- http://seclists.org/fulldisclosure/2026/Apr/17
FAQ
What is CVE-2026-35029?
CVE-2026-35029 is a vulnerability with a CVSS score of 8.8 (HIGH). LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. Prior to 1.83.0, the /config/update endpoint does not enforce admin role authorization. A user who is already auth...
How severe is CVE-2026-35029?
CVE-2026-35029 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-35029?
Check the references section above for vendor advisories and patch information. Affected products include: Litellm Litellm.