LiteLLM Vulnerability Chain Lets Low-Privilege Users Take Over AI Gateway Servers

LiteLLM, a widely-used open-source AI gateway (a system that routes AI requests to multiple providers), has a critical vulnerability chain (CVSS score of 9.9, meaning extremely severe) that lets low-privilege users gain full admin control and run code on the server. The three bugs work together: an authorization bypass (CVE-2026-47101) that lets users create keys with unlimited access, a privilege escalation (CVE-2026-47102) that promotes users to admin, and a sandbox escape (CVE-2026-40217) that executes arbitrary code. This compromise exposes all provider API keys, encrypted credentials, and all prompts and responses passing through the gateway, plus allows attackers to alter AI responses in transit.