CVE-2026-35029
Published: 06 April 2026
Summary
CVE-2026-35029 is a high-severity Incorrect Authorization (CWE-863) vulnerability in Litellm Litellm. Its CVSS base score is 8.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 2.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
This vulnerability is AI-related — categorised as LLM Application Platforms; in the Supply Chain and Deployment risk domain.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).
Deeper analysis
LiteLLM is an AI gateway proxy server that routes calls to LLM APIs using OpenAI-compatible or native formats. Prior to version 1.83.0 the /config/update endpoint failed to enforce admin-role authorization checks, a flaw tracked as CWE-863. Any authenticated user could therefore alter proxy settings and environment variables through this endpoint.
An attacker already logged into the platform can register custom pass-through handlers that point to attacker-controlled Python code, resulting in remote code execution. The same access also permits reading arbitrary files by setting UI_LOGO_PATH and retrieving them via /get_image, as well as account takeover by overwriting UI_USERNAME and UI_PASSWORD variables.
The GitHub security advisory GHSA-53mr-6c8q-9789 states that the issue is resolved in LiteLLM v1.83.0.
The associated EPSS score rose from lower values after the April 2026 disclosure to a peak of 0.2593 on 22 May 2026 before receding to the current 0.1938, indicating a period of increased exploitation interest in this LLM-gateway component.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-19370
Vulnerability details
LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. Prior to 1.83.0, the /config/update endpoint does not enforce admin role authorization. A user who is already authenticated into the platform can then use…
more
this endpoint to modify proxy configuration and environment variables, register custom pass-through endpoint handlers pointing to attacker-controlled Python code, achieving remote code execution, read arbitrary server files by setting UI_LOGO_PATH and fetching via /get_image, and take over other privileged accounts by overwriting UI_USERNAME and UI_PASSWORD environment variables. Fixed in v1.83.0.
- CWE(s)
AI Security AnalysisAI
- AI Category
- LLM Application Platforms
- Risk Domain
- Supply Chain and Deployment
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: ai, llm, openai
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE enables exploitation of public-facing proxy server (T1190) for authorization bypass, leading to Python RCE via custom handlers (T1059.006), arbitrary file reads (T1005), and account manipulation via credential overwrite (T1098).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces authorization checks on the /config/update endpoint so that only admin-role users can modify proxy settings or register pass-through handlers.
Ensures authenticated users receive only the privileges required for their role, blocking non-admin access to configuration and environment-variable changes that lead to RCE or account takeover.
Restricts which users or roles are permitted to perform configuration changes, directly limiting the ability of ordinary authenticated accounts to alter LiteLLM proxy settings.