LiteLLM Vulnerabilities Let Low-Privilege Users Take Over AI Gateways

Researchers at Obsidian Security disclosed a vulnerability chain in LiteLLM, a widely deployed open-source AI gateway that brokers calls to over 100 model providers behind a unified OpenAI-compatible interface. A default low-privilege account can exploit three chained vulnerabilities to climb to full admin privileges and run code on the server.

The severity of this chain is underscored by the potential access gained: a full server takeover exposes every provider API key and secret the gateway holds. The flaws affect the default configuration, making many deployments running LiteLLM potentially reachable by an attacker with only a low-privilege account.

Technical details, as provided by Obsidian Security, describe an attack vector that begins with the low-privilege account and progresses through privilege escalation steps. The three vulnerabilities, when chained, permit the attacker to execute arbitrary commands on the host operating system. No CVEs or specific indicators of compromise were detailed in the disclosure.

Mitigation guidance from Obsidian Security was not explicitly detailed in the source, but organizations using LiteLLM are advised to audit their default accounts and restrict network access to the gateway. The researchers recommend reviewing access controls and monitoring for unusual administrative actions until an official patch is released.

Attribution of the discovery goes to Obsidian Security, a cybersecurity firm focused on SaaS threats. The disclosure highlights the growing risk surface of AI infrastructure gateways, which aggregate access to sensitive model provider credentials and can become a high-value target for attackers.