Cyber Resilience

CVE-2026-35029

High

Published: 06 April 2026

Published
06 April 2026
Modified
07 April 2026
KEV Added
Patch
CVSS Score v4 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.2719 97.8th percentile
Risk Priority 60 floored blend · peak EPSS

Summary

CVE-2026-35029 is a high-severity Incorrect Authorization (CWE-863) vulnerability in Litellm Litellm. Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 2.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

This vulnerability is AI-related — categorised as LLM Application Platforms; in the Supply Chain and Deployment risk domain.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Deeper analysis

LiteLLM is an AI gateway proxy server that routes calls to LLM APIs using OpenAI-compatible or native formats. Prior to version 1.83.0 the /config/update endpoint failed to enforce admin-role authorization checks, a flaw tracked as CWE-863. Any authenticated user could therefore alter proxy settings and environment variables through this endpoint.

An attacker already logged into the platform can register custom pass-through handlers that point to attacker-controlled Python code, resulting in remote code execution. The same access also permits reading arbitrary files by setting UI_LOGO_PATH and retrieving them via /get_image, as well as account takeover by overwriting UI_USERNAME and UI_PASSWORD variables.

The GitHub security advisory GHSA-53mr-6c8q-9789 states that the issue is resolved in LiteLLM v1.83.0.

The associated EPSS score rose from lower values after the April 2026 disclosure to a peak of 0.2593 on 22 May 2026 before receding to the current 0.1938, indicating a period of increased exploitation interest in this LLM-gateway component.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. Prior to 1.83.0, the /config/update endpoint does not enforce admin role authorization. A user who is already authenticated into the platform can then use…

more

this endpoint to modify proxy configuration and environment variables, register custom pass-through endpoint handlers pointing to attacker-controlled Python code, achieving remote code execution, read arbitrary server files by setting UI_LOGO_PATH and fetching via /get_image, and take over other privileged accounts by overwriting UI_USERNAME and UI_PASSWORD environment variables. Fixed in v1.83.0.

CWE(s)

AI Security AnalysisAI

AI Category
LLM Application Platforms
Risk Domain
Supply Chain and Deployment
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: ai, llm, openai

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.006 Python Execution
Adversaries may abuse Python commands and scripts for execution.
T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
T1098 Account Manipulation Persistence
Adversaries may manipulate accounts to maintain and/or elevate access to victim systems.
Why these techniques?

CVE enables exploitation of public-facing proxy server (T1190) for authorization bypass, leading to Python RCE via custom handlers (T1059.006), arbitrary file reads (T1005), and account manipulation via credential overwrite (T1098).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-47102Same product: Litellm Litellm
CVE-2026-47101Same product: Litellm Litellm
CVE-2026-35030Same product: Litellm Litellm
CVE-2026-40217Same product: Litellm Litellm
CVE-2026-42208Same product: Litellm Litellm
CVE-2026-42271Same product: Litellm Litellm
CVE-2024-9606Same product: Litellm Litellm
CVE-2026-45672Shared CWE-863
CVE-2026-3573Shared CWE-863
CVE-2026-30820Shared CWE-863

Affected Assets

litellm
litellm
≤ 1.83.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces authorization checks on the /config/update endpoint so that only admin-role users can modify proxy settings or register pass-through handlers.

prevent

Ensures authenticated users receive only the privileges required for their role, blocking non-admin access to configuration and environment-variable changes that lead to RCE or account takeover.

prevent

Restricts which users or roles are permitted to perform configuration changes, directly limiting the ability of ordinary authenticated accounts to alter LiteLLM proxy settings.

References