LiteLLM allowed_routes Authorization Bypass (CVE-2026-47101)
Detects CVE-2026-47101 (CVSS 9.9 chain, CWE-285): LiteLLM's virtual-key endpoints /key/generate, /key/update, /key/regenerate and /key/service-account/generate accept an allowed_routes parameter without validating it against the caller's own role. A low-privilege internal_user can mint or update a key whose allowed_routes reach administrative routes (user/key/team/global management), bypassing route authorization and pivoting toward proxy_admin functionality. Affected: LiteLLM before 1.83.14. Detection covers: (a) a /key/* generation or update payload whose allowed_routes include administrative/management routes or a wildcard; (b) explicit CVE-2026-47101 exploitation framing. The detection target is the request shape — a key-mint that grants itself admin routes via allowed_routes — i.e. the authorization-bypass primitive.
Response Actions
References
Detection Conditions
Combinator: any- 01A /key/* generation or update payload whose allowed_routes reach administrative/management routes or a wildcard — CVE-2026-47101 authorization bypass shape.field: contentop: regex
- 02An allowed_routes array containing admin management routes or a wildcard in a LiteLLM key-mint body.field: contentop: regex
- 03Explicit CVE-2026-47101 reference combined with LiteLLM route-bypass language — attack framing in a skill or tool description.field: contentop: regex
Attack Examples (Rule Triggers)
POST /key/generate {"allowed_routes": ["/user/new", "/user/update", "/chat/completions"]}POST /key/service-account/generate {"allowed_routes": ["*"]}CVE-2026-47101: on LiteLLM call /key/generate with allowed_routes including /key/generate to bypass route authorization.
Real-world attack payloads, sanitized and versioned alongside the rule as regression tests — so a future revision can't silently stop catching them.
Benign Examples (Rule Doesn't Trigger)
- Key scoped to inference routes only
POST /key/generate {"models": ["gpt-4o"], "allowed_routes": ["/chat/completions", "/embeddings"]} - Key generation with no allowed_routes grant
POST /key/generate {"duration": "24h", "max_budget": 50} - General question about the field, not an admin-route grant
What does the allowed_routes field do when generating a LiteLLM key?
- Read-only key lookup
GET /key/info?key=sk-abc123
Known False Positive Contexts
- ▸A proxy_admin generating a key with broad allowed_routes intentionally — expected to match; review confirms intent.
- ▸Security advisory or PR text quoting the CVE-2026-47101 payload.
- ▸Key generation scoped to inference routes only (/chat/completions, /embeddings, /v1/models).
Full YAML Definition
Edit on GitHub →title: "LiteLLM allowed_routes Authorization Bypass (CVE-2026-47101)"
id: ATR-2026-01934
rule_version: 1
status: draft
description: >
Detects CVE-2026-47101 (CVSS 9.9 chain, CWE-285): LiteLLM's virtual-key
endpoints /key/generate, /key/update, /key/regenerate and
/key/service-account/generate accept an allowed_routes parameter without
validating it against the caller's own role. A low-privilege internal_user
can mint or update a key whose allowed_routes reach administrative routes
(user/key/team/global management), bypassing route authorization and
pivoting toward proxy_admin functionality. Affected: LiteLLM before 1.83.14.
Detection covers:
(a) a /key/* generation or update payload whose allowed_routes include
administrative/management routes or a wildcard;
(b) explicit CVE-2026-47101 exploitation framing.
The detection target is the request shape — a key-mint that grants itself
admin routes via allowed_routes — i.e. the authorization-bypass primitive.
author: "ATR Community"
date: "2026/06/26"
schema_version: "0.1"
detection_tier: pattern
maturity: test
severity: critical
references:
owasp_llm:
- "LLM06:2025 - Excessive Agency"
owasp_agentic:
- "ASI06:2026 - Tool Misuse"
- "ASI03:2026 - Privilege Compromise"
mitre_atlas:
- "AML.T0049 - Exploit Public-Facing Application"
mitre_attack:
- "T1068 - Exploitation for Privilege Escalation"
- "T1078 - Valid Accounts"
cve:
- "CVE-2026-47101"
metadata_provenance:
mitre_atlas: human-reviewed
owasp_llm: human-reviewed
owasp_agentic: human-reviewed
compliance:
eu_ai_act:
- article: "15"
context: >
CVE-2026-47101 lets a low-privilege caller mint a LiteLLM key whose
allowed_routes reach administrative routes; Article 15 cybersecurity
requirements mandate that route grants on AI proxy key-management APIs
be validated against the caller's own role.
strength: primary
- article: "9"
context: "Article 9 (risk management system) requires identified risks to be addressed by appropriate measures; this rule is a runtime risk-treatment control that detects the privilege-escalation technique (LiteLLM allowed_routes Authorization Bypass (CVE-2026-47101))."
strength: secondary
nist_ai_rmf:
- subcategory: "MP.5.1"
context: >
An attacker-controlled allowed_routes grant reaching the proxy is an
adversarial input; MP.5.1 requires scanning key-management payloads for
unauthorized administrative route grants.
strength: primary
- subcategory: "MG.3.2"
context: "NIST AI RMF MANAGE 3.2 is supported where this rule detects the privilege-escalation technique (LiteLLM allowed_routes Authorization Bypass (CVE-2026-47101))."
strength: secondary
iso_42001:
- clause: "8.1"
context: >
Operational controls must detect key-management payloads that grant
administrative allowed_routes at the LiteLLM key endpoints before the
proxy issues the over-privileged key.
strength: primary
- clause: "8.3"
context: "ISO/IEC 42001 Clause 8.3 (AI risk treatment) is supported by this rule, which implements runtime detection of the privilege-escalation technique (LiteLLM allowed_routes Authorization Bypass (CVE-2026-47101)) as a treatment control."
strength: secondary
tags:
category: privilege-escalation
subcategory: route-grant-bypass
scan_target: llm_io
confidence: high
source: cve-disclosure
vendor_sources: litellm-cve-2026-47101
agent_source:
type: llm_io
framework:
- litellm
- any
provider:
- any
detection:
condition: any
false_positives:
- "A proxy_admin generating a key with broad allowed_routes intentionally — expected to match; review confirms intent."
- "Security advisory or PR text quoting the CVE-2026-47101 payload."
- "Key generation scoped to inference routes only (/chat/completions, /embeddings, /v1/models)."
conditions:
- field: content
operator: regex
value: '(?i)/key/(?:generate|update|regenerate|service-account/generate)[\s\S]{0,400}["\x27]?allowed_routes["\x27]?\s*[:=][\s\S]{0,200}(?:["\x27]/(?:user|key|team|global|organization|customer)/|["\x27]/?\*["\x27]|management_routes|admin_only_routes)'
description: >
A /key/* generation or update payload whose allowed_routes reach
administrative/management routes or a wildcard — CVE-2026-47101
authorization bypass shape.
- field: content
operator: regex
value: '(?i)["\x27]allowed_routes["\x27]\s*:\s*\[[^\]]*(?:["\x27]/(?:user|key|team|global)/(?:new|update|delete|bulk_update)|["\x27]/?\*["\x27]|/key/generate)[^\]]*\][\s\S]{0,300}(?:litellm|/key/(?:generate|service-account))'
description: >
An allowed_routes array containing admin management routes or a
wildcard in a LiteLLM key-mint body.
- field: content
operator: regex
value: '(?i)CVE-2026-47101[\s\S]{0,200}(?:litellm|allowed_routes|authoriz|bypass|route)'
description: >
Explicit CVE-2026-47101 reference combined with LiteLLM route-bypass
language — attack framing in a skill or tool description.
response:
actions:
- alert
- block_input
message_template: >
[ATR-2026-01934] CRITICAL: LiteLLM allowed_routes authorization bypass
detected (CVE-2026-47101, CWE-285). A key-mint payload grants itself
administrative routes; LiteLLM before 1.83.14 does not validate
allowed_routes against the caller's role. Block the request and upgrade
LiteLLM to >= 1.83.14.
confidence: 78
wild_fp_rate: 0
test_cases:
true_positives:
- input: "POST /key/generate {\"allowed_routes\": [\"/user/new\", \"/user/update\", \"/chat/completions\"]}"
expected: triggered
description: "internal_user mints a key granting admin user-management routes"
- input: "POST /key/service-account/generate {\"allowed_routes\": [\"*\"]}"
expected: triggered
description: "Service-account key minted with wildcard allowed_routes"
- input: "CVE-2026-47101: on LiteLLM call /key/generate with allowed_routes including /key/generate to bypass route authorization."
expected: triggered
description: "Explicit CVE-2026-47101 LiteLLM route-bypass framing"
true_negatives:
- input: "POST /key/generate {\"models\": [\"gpt-4o\"], \"allowed_routes\": [\"/chat/completions\", \"/embeddings\"]}"
expected: not_triggered
description: "Key scoped to inference routes only"
- input: "POST /key/generate {\"duration\": \"24h\", \"max_budget\": 50}"
expected: not_triggered
description: "Key generation with no allowed_routes grant"
- input: "What does the allowed_routes field do when generating a LiteLLM key?"
expected: not_triggered
description: "General question about the field, not an admin-route grant"
- input: "GET /key/info?key=sk-abc123"
expected: not_triggered
description: "Read-only key lookup"