CVE-2026-59821 in litellminfo

Summary

by MITRE • 07/08/2026

LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. Prior to 1.82.0-stable, LiteLLM's Custom Code Guardrails production create and update paths did not apply the same sandboxing and validation used by the test endpoint, allowing a privileged user with access to create or update guardrails to submit custom Python code that executed in the LiteLLM proxy environment and could expose secrets available to the process. This issue is fixed in version 1.82.0-stable.

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Analysis

by VulDB Data Team • 07/08/2026

The vulnerability in LiteLLM represents a critical privilege escalation and code execution flaw that undermines the security boundaries of the AI gateway system. This issue affects versions prior to 1.82.0-stable where the Custom Code Guardrails functionality fails to enforce consistent security controls across different API endpoints. The root cause lies in the inconsistent implementation of sandboxing mechanisms between the test endpoint and the production create/update paths, creating a dangerous gap that malicious actors can exploit to execute arbitrary Python code within the proxy environment.

The technical flaw manifests as a lack of proper input validation and sandboxing controls specifically in the production pathways for guardrail creation and modification. While the test endpoint properly enforces security measures to prevent code execution, the create and update endpoints allow privileged users to submit custom Python code that executes with the same privileges as the LiteLLM process itself. This creates a severe attack surface where an authenticated user with appropriate permissions can potentially access sensitive system resources, environment variables, and secrets stored within the proxy process memory.

The operational impact of this vulnerability extends beyond simple code execution to encompass full system compromise and data leakage scenarios. Attackers could leverage this flaw to extract API keys, database credentials, and other confidential information accessible to the LiteLLM proxy server. The vulnerability particularly affects organizations relying on LiteLLM as an AI gateway that handles sensitive data processing, as it essentially allows authenticated users with guardrail permissions to escalate their privileges and gain unauthorized access to the underlying infrastructure. This represents a significant deviation from the expected security model where administrative functions should be isolated from code execution capabilities.

The mitigation strategy involves upgrading to version 1.82.0-stable or later, which implements consistent sandboxing controls across all guardrail endpoints. Security practitioners should also implement additional monitoring for suspicious activity in guardrail creation and update operations, while considering the principle of least privilege for users who require access to these administrative functions. Organizations should conduct thorough security reviews of their AI gateway configurations and assess whether similar inconsistencies exist in other parts of their infrastructure that handle user-provided code execution. This vulnerability aligns with CWE-74 and CWE-94 categories related to code injection and insecure deserialization, and represents a technique consistent with ATT&CK tactics involving privilege escalation and persistence through code execution within application environments.

Responsible

GitHub M

Reservation

07/07/2026

Disclosure

07/08/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Do you need the next level of professionalism?

Upgrade your account now!