CVE-2026-35029

CVE-2026-35029 is an authorization bypass vulnerability in LiteLLM, a proxy server and AI Gateway used to call LLM APIs in OpenAI or native format. In versions prior to 1.83.0, the /config/update endpoint does not enforce admin role authorization, allowing improper control over sensitive operations. This issue is classified under CWE-863 (Incorrect Authorization) and carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant confidentiality, integrity, and availability impacts.

An attacker with existing low-privilege authentication to the LiteLLM platform can exploit the vulnerable endpoint over the network with low complexity and no user interaction required. Successful exploitation enables modification of proxy configuration and environment variables, including registering custom pass-through endpoint handlers that point to attacker-controlled Python code for remote code execution. Additional impacts include reading arbitrary server files by setting the UI_LOGO_PATH environment variable and fetching via the /get_image endpoint, as well as taking over other privileged accounts by overwriting UI_USERNAME and UI_PASSWORD environment variables.

The vulnerability was addressed in LiteLLM version 1.83.0, which enforces proper admin role checks on the /config/update endpoint. Security practitioners should upgrade to this version or later. Additional details are available in the GitHub Security Advisory at https://github.com/BerriAI/litellm/security/advisories/GHSA-53mr-6c8q-9789.