Skip to content
ATR-2026-01934criticalPrivilege Escalationdraft

LiteLLM allowed_routes Authorization Bypass (CVE-2026-47101)

Detects CVE-2026-47101 (CVSS 9.9 chain, CWE-285): LiteLLM's virtual-key endpoints /key/generate, /key/update, /key/regenerate and /key/service-account/generate accept an allowed_routes parameter without validating it against the caller's own role. A low-privilege internal_user can mint or update a key whose allowed_routes reach administrative routes (user/key/team/global management), bypassing route authorization and pivoting toward proxy_admin functionality. Affected: LiteLLM before 1.83.14. Detection covers: (a) a /key/* generation or update payload whose allowed_routes include administrative/management routes or a wildcard; (b) explicit CVE-2026-47101 exploitation framing. The detection target is the request shape — a key-mint that grants itself admin routes via allowed_routes — i.e. the authorization-bypass primitive.

Severity
critical
Category
Privilege Escalation
Scan Target
llm_io
Author
ATR Community

Response Actions

alertblock input

References

OWASP Agentic
ASI06:2026 - Tool MisuseASI03:2026 - Privilege Compromise
OWASP LLM
LLM06:2025 - Excessive Agency
MITRE ATLAS
AML.T0049 - Exploit Public-Facing Application

Detection Conditions

Combinator: any
  1. 01
    A /key/* generation or update payload whose allowed_routes reach administrative/management routes or a wildcard — CVE-2026-47101 authorization bypass shape.
    field: contentop: regex
  2. 02
    An allowed_routes array containing admin management routes or a wildcard in a LiteLLM key-mint body.
    field: contentop: regex
  3. 03
    Explicit CVE-2026-47101 reference combined with LiteLLM route-bypass language — attack framing in a skill or tool description.
    field: contentop: regex

Attack Examples (Rule Triggers)

  1. POST /key/generate {"allowed_routes": ["/user/new", "/user/update", "/chat/completions"]}
  2. POST /key/service-account/generate {"allowed_routes": ["*"]}
  3. CVE-2026-47101: on LiteLLM call /key/generate with allowed_routes including /key/generate to bypass route authorization.

Real-world attack payloads, sanitized and versioned alongside the rule as regression tests — so a future revision can't silently stop catching them.

Benign Examples (Rule Doesn't Trigger)

  1. Key scoped to inference routes only
    POST /key/generate {"models": ["gpt-4o"], "allowed_routes": ["/chat/completions", "/embeddings"]}
  2. Key generation with no allowed_routes grant
    POST /key/generate {"duration": "24h", "max_budget": 50}
  3. General question about the field, not an admin-route grant
    What does the allowed_routes field do when generating a LiteLLM key?
  4. Read-only key lookup
    GET /key/info?key=sk-abc123

Known False Positive Contexts

  • A proxy_admin generating a key with broad allowed_routes intentionally — expected to match; review confirms intent.
  • Security advisory or PR text quoting the CVE-2026-47101 payload.
  • Key generation scoped to inference routes only (/chat/completions, /embeddings, /v1/models).

Full YAML Definition

Edit on GitHub →
title: "LiteLLM allowed_routes Authorization Bypass (CVE-2026-47101)"
id: ATR-2026-01934
rule_version: 1
status: draft
description: >
  Detects CVE-2026-47101 (CVSS 9.9 chain, CWE-285): LiteLLM's virtual-key
  endpoints /key/generate, /key/update, /key/regenerate and
  /key/service-account/generate accept an allowed_routes parameter without
  validating it against the caller's own role. A low-privilege internal_user
  can mint or update a key whose allowed_routes reach administrative routes
  (user/key/team/global management), bypassing route authorization and
  pivoting toward proxy_admin functionality. Affected: LiteLLM before 1.83.14.

  Detection covers:
  (a) a /key/* generation or update payload whose allowed_routes include
      administrative/management routes or a wildcard;
  (b) explicit CVE-2026-47101 exploitation framing.

  The detection target is the request shape — a key-mint that grants itself
  admin routes via allowed_routes — i.e. the authorization-bypass primitive.
author: "ATR Community"
date: "2026/06/26"
schema_version: "0.1"
detection_tier: pattern
maturity: test
severity: critical

references:
  owasp_llm:
    - "LLM06:2025 - Excessive Agency"
  owasp_agentic:
    - "ASI06:2026 - Tool Misuse"
    - "ASI03:2026 - Privilege Compromise"
  mitre_atlas:
    - "AML.T0049 - Exploit Public-Facing Application"
  mitre_attack:
    - "T1068 - Exploitation for Privilege Escalation"
    - "T1078 - Valid Accounts"
  cve:
    - "CVE-2026-47101"

metadata_provenance:
  mitre_atlas: human-reviewed
  owasp_llm: human-reviewed
  owasp_agentic: human-reviewed

compliance:
  eu_ai_act:
    - article: "15"
      context: >
        CVE-2026-47101 lets a low-privilege caller mint a LiteLLM key whose
        allowed_routes reach administrative routes; Article 15 cybersecurity
        requirements mandate that route grants on AI proxy key-management APIs
        be validated against the caller's own role.
      strength: primary
    - article: "9"
      context: "Article 9 (risk management system) requires identified risks to be addressed by appropriate measures; this rule is a runtime risk-treatment control that detects the privilege-escalation technique (LiteLLM allowed_routes Authorization Bypass (CVE-2026-47101))."
      strength: secondary
  nist_ai_rmf:
    - subcategory: "MP.5.1"
      context: >
        An attacker-controlled allowed_routes grant reaching the proxy is an
        adversarial input; MP.5.1 requires scanning key-management payloads for
        unauthorized administrative route grants.
      strength: primary
    - subcategory: "MG.3.2"
      context: "NIST AI RMF MANAGE 3.2 is supported where this rule detects the privilege-escalation technique (LiteLLM allowed_routes Authorization Bypass (CVE-2026-47101))."
      strength: secondary
  iso_42001:
    - clause: "8.1"
      context: >
        Operational controls must detect key-management payloads that grant
        administrative allowed_routes at the LiteLLM key endpoints before the
        proxy issues the over-privileged key.
      strength: primary
    - clause: "8.3"
      context: "ISO/IEC 42001 Clause 8.3 (AI risk treatment) is supported by this rule, which implements runtime detection of the privilege-escalation technique (LiteLLM allowed_routes Authorization Bypass (CVE-2026-47101)) as a treatment control."
      strength: secondary

tags:
  category: privilege-escalation
  subcategory: route-grant-bypass
  scan_target: llm_io
  confidence: high
  source: cve-disclosure
  vendor_sources: litellm-cve-2026-47101

agent_source:
  type: llm_io
  framework:
    - litellm
    - any
  provider:
    - any

detection:
  condition: any
  false_positives:
    - "A proxy_admin generating a key with broad allowed_routes intentionally — expected to match; review confirms intent."
    - "Security advisory or PR text quoting the CVE-2026-47101 payload."
    - "Key generation scoped to inference routes only (/chat/completions, /embeddings, /v1/models)."
  conditions:
    - field: content
      operator: regex
      value: '(?i)/key/(?:generate|update|regenerate|service-account/generate)[\s\S]{0,400}["\x27]?allowed_routes["\x27]?\s*[:=][\s\S]{0,200}(?:["\x27]/(?:user|key|team|global|organization|customer)/|["\x27]/?\*["\x27]|management_routes|admin_only_routes)'
      description: >
        A /key/* generation or update payload whose allowed_routes reach
        administrative/management routes or a wildcard — CVE-2026-47101
        authorization bypass shape.
    - field: content
      operator: regex
      value: '(?i)["\x27]allowed_routes["\x27]\s*:\s*\[[^\]]*(?:["\x27]/(?:user|key|team|global)/(?:new|update|delete|bulk_update)|["\x27]/?\*["\x27]|/key/generate)[^\]]*\][\s\S]{0,300}(?:litellm|/key/(?:generate|service-account))'
      description: >
        An allowed_routes array containing admin management routes or a
        wildcard in a LiteLLM key-mint body.
    - field: content
      operator: regex
      value: '(?i)CVE-2026-47101[\s\S]{0,200}(?:litellm|allowed_routes|authoriz|bypass|route)'
      description: >
        Explicit CVE-2026-47101 reference combined with LiteLLM route-bypass
        language — attack framing in a skill or tool description.

response:
  actions:
    - alert
    - block_input
  message_template: >
    [ATR-2026-01934] CRITICAL: LiteLLM allowed_routes authorization bypass
    detected (CVE-2026-47101, CWE-285). A key-mint payload grants itself
    administrative routes; LiteLLM before 1.83.14 does not validate
    allowed_routes against the caller's role. Block the request and upgrade
    LiteLLM to >= 1.83.14.

confidence: 78

wild_fp_rate: 0

test_cases:
  true_positives:
    - input: "POST /key/generate {\"allowed_routes\": [\"/user/new\", \"/user/update\", \"/chat/completions\"]}"
      expected: triggered
      description: "internal_user mints a key granting admin user-management routes"
    - input: "POST /key/service-account/generate {\"allowed_routes\": [\"*\"]}"
      expected: triggered
      description: "Service-account key minted with wildcard allowed_routes"
    - input: "CVE-2026-47101: on LiteLLM call /key/generate with allowed_routes including /key/generate to bypass route authorization."
      expected: triggered
      description: "Explicit CVE-2026-47101 LiteLLM route-bypass framing"
  true_negatives:
    - input: "POST /key/generate {\"models\": [\"gpt-4o\"], \"allowed_routes\": [\"/chat/completions\", \"/embeddings\"]}"
      expected: not_triggered
      description: "Key scoped to inference routes only"
    - input: "POST /key/generate {\"duration\": \"24h\", \"max_budget\": 50}"
      expected: not_triggered
      description: "Key generation with no allowed_routes grant"
    - input: "What does the allowed_routes field do when generating a LiteLLM key?"
      expected: not_triggered
      description: "General question about the field, not an admin-route grant"
    - input: "GET /key/info?key=sk-abc123"
      expected: not_triggered
      description: "Read-only key lookup"

Revision History

Created
2026-06-26
Last modified
2026-07-02
View full commit history on GitHub →