Security & Trust

LiteLLM AI Gateway: CVSS 9.9. Four Chained Vulnerabilities Let a Low-Privilege User Hijack Claude Code Responses.

Auth bypass → admin privilege escalation → Python sandbox escape via unfiltered exec() → MCP callback injection. The open-source AI gateway used to route requests between Claude, GPT, and Gemini had a kill chain from viewer to root. Patched in v1.83.14.

· 6 min read
Share on X LinkedIn
LiteLLM AI Gateway: CVSS 9.9. Four Chained Vulnerabilities Let a Low-Privilege User Hijack Claude Code Responses.

The AI Infrastructure Kill Chain

On June 15, 2026, The Hacker News published details of a four-vulnerability chain in LiteLLM — the widely deployed open-source AI gateway that routes requests between Claude, GPT, Gemini, and other models. The combined CVSS score is 9.9. A low-privilege viewer account can escalate to full system compromise through four linked exploits: CVE-2026-47101 (auth bypass, CVSS 8.8), CVE-2026-47102 (privilege escalation to admin), CVE-2026-40217 (Python sandbox escape via unfiltered exec()), and CVE-2026-42271 (MCP subprocess spawning that hijacks Claude Code responses via callback injection).

The attack chain is elegant in its simplicity. Step one: the auth bypass lets any user generate API keys with unrestricted route access, regardless of their assigned role. Step two: with unrestricted API access, the attacker self-promotes to admin through the user management API. Step three: the admin panel's callback configuration accepts arbitrary Python code that is executed via exec() with no sandboxing. Step four: the attacker injects a malicious MCP callback that intercepts and modifies responses from Claude Code — the AI coding assistant — before they reach the developer.

9.9 (Critical)
Combined CVSS
Four chained CVEs. Source: The Hacker News, June 15, 2026.
Viewer → Admin → Sandbox Escape → Response Hijack
Attack chain
Four steps from lowest privilege to complete control.
v1.83.14-stable
Patch
Available since May 2, 2026. Source: LiteLLM GitHub.

Why AI Gateways Are Critical Infrastructure

LiteLLM sits between an organization's applications and every AI model they use. It routes API requests, manages API keys, enforces rate limits, tracks costs, and logs every prompt and response. Compromising LiteLLM gives an attacker access to every AI interaction in the organization — every code review, every document analysis, every customer query. The gateway sees everything because its job is to route everything.

The callback injection vulnerability (CVE-2026-42271) is particularly dangerous because it allows the attacker to modify AI responses in transit. A developer using Claude Code through a compromised LiteLLM instance receives code suggestions that have been silently altered — backdoors inserted, security checks removed, credentials hardcoded. The developer trusts the response because it comes from Claude. The response is not from Claude. It is from the attacker, wearing Claude's face.

The unfiltered exec() Problem

The sandbox escape (CVE-2026-40217) exists because LiteLLM's callback configuration accepts Python code and executes it via exec() — Python's built-in function for running arbitrary code strings. There is no sandboxing, no restricted execution environment, no allowlist of permitted operations. The admin panel's callback field is a direct code execution endpoint. Once an attacker reaches admin (steps one and two), they have arbitrary code execution on the LiteLLM server.

This is the same class of vulnerability that affects WordPress plugin architectures — administrative interfaces that trust their inputs because they assume only authorized administrators will access them. The difference is scale: a compromised WordPress admin can deface one website. A compromised LiteLLM admin can intercept every AI-powered operation across an entire organization's infrastructure.

The Patch Gap

The patch (v1.83.14-stable) has been available since May 2, 2026 — six weeks before the public disclosure on June 15. Organizations that updated promptly are protected. Organizations that did not are running an AI gateway with a CVSS 9.9 vulnerability that chains from the lowest privilege level to complete system compromise. The patch gap — the time between patch availability and actual deployment — is the window during which every unpatched LiteLLM instance is exploitable.

WebPulse's framework security analysis consistently shows that the patch gap is the primary risk factor, not vulnerability count. LiteLLM had four vulnerabilities. Hugo has zero. But a patched LiteLLM is safer than an unpatched Hugo — if Hugo had vulnerabilities. The metric that matters is not how many CVEs a framework has, but how quickly organizations deploy the patches. For AI infrastructure like LiteLLM, the patch gap is especially dangerous because the infrastructure handles the most sensitive data in the organization: every AI interaction, every prompt, every response.

Share this insight
More insights
Security & Trust

React Has 2 KEV Entries. One Scores 1.00 on EPSS. Frontend Isn't Safe.

June 21, 2026 · 4 min
Read insight
Security & Trust

React Server Components Carry a DoS Flaw. Every RSC Framework Inherits It.

June 21, 2026 · 5 min
Read insight
Security & Trust

Miasma Worm Hit 73 Microsoft Repos. The Target Was AI Coding Agents.

June 21, 2026 · 5 min
Read insight

Get the quarterly WebPulse report

Framework health scores, new insights, industry intelligence. No spam.

WebPulse WebPulse

The world's first data-driven digital infrastructure intelligence platform. Scoring what matters for the AI era.

by adyog.com →
Explore
Insights Industries Regions Rankings 2026 Report
Tools
Check a site Score Your Stack Migration Calculator Compare Frameworks EOL Tracker Compliance Matrix
Topics
The AI-First Web Security & Trust Future-Ready Innovation & Growth Business Efficiency
Data
API Methodology
© 2026 adyog. All rights reserved. Privacy Terms Cookie Settings Scores computed algorithmically. No vendor pays for placement.