Arbitrary Code Injection Affecting litellm package, versions [,1.82.0)


Severity

Recommended
0.0
high
0
10

CVSS assessment by Snyk's Security Team. Learn more

Threat Intelligence

EPSS
0.36% (28th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Arbitrary Code Injection vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-PYTHON-LITELLM-17900306
  • published9 Jul 2026
  • disclosed8 Jul 2026
  • credityaaras

Introduced: 8 Jul 2026

NewCVE-2026-59821  (opens in a new tab)
CWE-94  (opens in a new tab)

How to fix?

Upgrade litellm to version 1.82.0 or higher.

Overview

litellm is a Library to easily interface with LLM API providers

Affected versions of this package are vulnerable to Arbitrary Code Injection via the create_guardrail, update_guardrail, delete_guardrail, and patch_guardrail handlers in the guardrails API. An attacker can upload or modify custom Python code in a production guardrail request and have it executed inside the LiteLLM proxy process. This affects deployments where the guardrail endpoints are reachable without the intended proxy-admin authorization, including setups that treat unauthenticated callers as admin when no master key is configured. The attacker gains execution in the proxy container and can read secrets and other process-accessible data, breaking the user’s ability to trust guardrail management and exposing the proxy environment to compromise.

Notes

  • The production guardrail create/update paths were reachable through the same proxy-admin auth gate used by other management APIs; in deployments without LITELLM_MASTER_KEY, the proxy treated unauthenticated callers as INTERNAL_USER, which made these endpoints effectively open in that configuration.
  • The custom-code execution path was not limited to the test endpoint: production guardrail definitions were compiled and executed inside the proxy process, so any stored custom guardrail code could run on later guardrail evaluation as well as during creation/update validation.

Workarounds

  • Restrict access to POST /guardrails and PUT /guardrails/{guardrail_id} so only trusted administrators can create or modify guardrails; this prevents untrusted callers from submitting custom Python code through the production guardrails API.
  • Ensure LITELLM_MASTER_KEY is configured; this prevents unauthenticated callers from being treated as proxy administrators when no master key is set.
  • Avoid enabling Custom Code Guardrails for untrusted users; this prevents them from supplying guardrail code that executes inside the LiteLLM proxy process.

CVSS Base Scores

version 4.0
version 3.1