CVE-2026-47101: LiteLLM prior to 1.83.14 allows an authenticated internal_user to create API keys with access to routes that their role
Summary
LiteLLM versions before 1.83.14 have a privilege escalation vulnerability (a security flaw that lets someone gain higher-level permissions than they should have) where authenticated internal users can create API keys (credentials for accessing the system) that grant access to admin-only routes without proper verification. This allows attackers to bypass role-based access controls (the system that restricts what different users can do) and gain full admin privileges.
Solution / Mitigation
Update LiteLLM to version 1.83.14 or later.
Vulnerability Details
8.8(high)
EPSS: 0.0%
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
network
low
low
none
May 21, 2026
Classification
Affected Vendors
Related Issues
CVE-2026-34371: LibreChat is a ChatGPT clone with additional features. Prior to 0.8.4, LibreChat trusts the name field returned by the e
CVE-2024-27444: langchain_experimental (aka LangChain Experimental) in LangChain before 0.1.8 allows an attacker to bypass the CVE-2023-
Original source: https://nvd.nist.gov/vuln/detail/CVE-2026-47101
First tracked: May 21, 2026 at 08:10 PM
Classified by LLM (prompt v3) · confidence: 92%