AI Sec Watch: A Security Intelligence Platform for AI Systems

Luu, T.J.

CVE-2026-40217: LiteLLM through 2026-04-08 allows remote attackers to execute arbitrary code via bytecode rewriting at the /guardrails/t

highvulnerabilityLLM-Specific

security

Source: NVD/CVE DatabaseApril 10, 2026CVE-2026-40217

Summary

LiteLLM (a library for working with multiple AI models) versions through April 8, 2026 contain a vulnerability that allows remote attackers to execute arbitrary code (run commands they shouldn't be able to run) through bytecode rewriting (modifying compiled code) at a specific web endpoint called /guardrails/test_custom_code. This is a serious security flaw because attackers on the internet could potentially take control of systems running vulnerable versions.

Vulnerability Details

CVSS Score

8.8(high)

EPSS (30-day exploit probability)

EPSS: 0.0%

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

network

Attack Complexity

low

Privileges Required

low

User Interaction

none

Disclosure Date

April 10, 2026

Classification

Attack Type

Model Poisoning

Attack SophisticationModerate

Impact (CIA+S)

integrityconfidentiality

Taxonomy References

CWE (Weakness Type)

CWE-420

Affected Vendors

LangChain

Related Issues

medium

CVE-2026-34371: LibreChat is a ChatGPT clone with additional features. Prior to 0.8.4, LibreChat trusts the name field returned by the e

Same vendorNVD/CVE Database

high

CVE-2024-37052: Deserialization of untrusted data can occur in versions of the MLflow platform running version 1.1.0 or newer, enabling

Similar attack

Monthly digest — independent AI security research

Original source: https://nvd.nist.gov/vuln/detail/CVE-2026-40217

First tracked: April 10, 2026 at 02:07 PM

Classified by LLM (prompt v3) · confidence: 85%