216.73.216.170

CVE-2026-47102

· Published 21/05/2026 21:16 · Modified 21/05/2026 21:16

Labels: CVE-2026-47102 2026-05-21CVE-2026-47102CWE-863[email protected]

Essential information

Published
21/05/2026 21:16
Modified
21/05/2026 21:16
Author
Creator
CVSS
8.7 HIGH (v3) 8.7 HIGH (v4.0)
CISA KEV
No
CWE
CVSS vector

CVSS metrics

Description

LiteLLM prior to 1.83.10 allows a user to modify their own user_role via the /user/update endpoint. While the endpoint correctly restricts users to updating only their own account, it does not restrict which fields may be changed. A user who can reach this endpoint can set their role to proxy_admin, gaining full administrative access to LiteLLM including all users, teams, keys, models, and prompt history. Users with the org_admin role have legitimate access to this endpoint and can exploit this vulnerability without chaining any additional flaw.

NVD status

Status
Received — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
liteLLM / liteLLM cpe:2.3:a:liteLLM:liteLLM:<1.83.10:*:*:*:*:*:*:*

References