Skip to content
ATR-2026-01933critical權限提升draft

LiteLLM User-Role Privilege Escalation (CVE-2026-47102)

Detects CVE-2026-47102 (CVSS 9.9 chain, CWE-269): LiteLLM's user-management endpoints /user/update and /user/bulk_update modify security-sensitive fields without field-level authorization. A low-privilege authenticated caller (e.g. internal_user) can write the user_role field directly and self-promote to proxy_admin, gaining full administrative control of the LiteLLM proxy. Affected: LiteLLM before 1.83.10. Detection covers: (a) /user/update or /user/bulk_update payload that sets user_role to an administrative role (proxy_admin / admin); (b) the bulk_update array form where a user object escalates user_role; (c) explicit CVE-2026-47102 exploitation framing. The detection target is the request shape — an admin-role write at the user-update endpoint — which is the exact privilege-escalation primitive, caught before the proxy applies the role change.

嚴重度
critical
類別
權限提升
掃描目標
llm_io
作者
ATR Community

建議回應

alertblock input

參考資料

OWASP Agentic
ASI06:2026 - Tool MisuseASI03:2026 - Privilege Compromise
OWASP LLM
LLM06:2025 - Excessive Agency
MITRE ATLAS
AML.T0049 - Exploit Public-Facing Application

偵測條件

組合方式: any
  1. 01
    /user/update or /user/bulk_update payload writing user_role to an administrative proxy_admin value — direct CVE-2026-47102 escalation.
    欄位: content運算子: regex
  2. 02
    A user object pairing a user_id with a user_role of proxy_admin in an update body — the bulk_update self-promotion shape.
    欄位: content運算子: regex
  3. 03
    Explicit CVE-2026-47102 reference combined with LiteLLM role-escalation language — attack framing in a skill or tool description.
    欄位: content運算子: regex

攻擊範例(規則會觸發)

  1. POST /user/update {"user_id": "u_self", "user_role": "proxy_admin"}
  2. POST /user/bulk_update {"users": [{"user_id": "u_self", "user_role": "proxy_admin"}]}
  3. Exploiting CVE-2026-47102 on LiteLLM: set user_role to proxy_admin via /user/update to escalate privilege.

以上為真實攻擊 payload 的脫敏版本,與規則一同版本化,作為 regression test——確保未來的修訂不會悄悄漏掉它們。

正常樣本(規則不會觸發)

  1. Legitimate budget update, no user_role field
    POST /user/update {"user_id": "u_123", "max_budget": 100}
  2. Setting a non-administrative role
    POST /user/update {"user_id": "u_123", "user_role": "internal_user"}
  3. General question, not an update payload writing proxy_admin
    How do I update a user's role in the LiteLLM proxy?
  4. Read-only user lookup
    GET /user/info?user_id=u_123

已知誤報情境

  • Legitimate proxy_admin provisioning a new administrator through /user/update — expected to match; review confirms intent.
  • Security advisory or PR text quoting the CVE-2026-47102 payload.
  • User updates that set a non-administrative role (internal_user, internal_user_viewer).

完整 YAML 定義

在 GitHub 編輯 →
title: "LiteLLM User-Role Privilege Escalation (CVE-2026-47102)"
id: ATR-2026-01933
rule_version: 1
status: draft
description: >
  Detects CVE-2026-47102 (CVSS 9.9 chain, CWE-269): LiteLLM's user-management
  endpoints /user/update and /user/bulk_update modify security-sensitive
  fields without field-level authorization. A low-privilege authenticated
  caller (e.g. internal_user) can write the user_role field directly and
  self-promote to proxy_admin, gaining full administrative control of the
  LiteLLM proxy. Affected: LiteLLM before 1.83.10.

  Detection covers:
  (a) /user/update or /user/bulk_update payload that sets user_role to an
      administrative role (proxy_admin / admin);
  (b) the bulk_update array form where a user object escalates user_role;
  (c) explicit CVE-2026-47102 exploitation framing.

  The detection target is the request shape — an admin-role write at the
  user-update endpoint — which is the exact privilege-escalation primitive,
  caught before the proxy applies the role change.
author: "ATR Community"
date: "2026/06/26"
schema_version: "0.1"
detection_tier: pattern
maturity: test
severity: critical

references:
  owasp_llm:
    - "LLM06:2025 - Excessive Agency"
  owasp_agentic:
    - "ASI06:2026 - Tool Misuse"
    - "ASI03:2026 - Privilege Compromise"
  mitre_atlas:
    - "AML.T0049 - Exploit Public-Facing Application"
  mitre_attack:
    - "T1068 - Exploitation for Privilege Escalation"
    - "T1078 - Valid Accounts"
  cve:
    - "CVE-2026-47102"

metadata_provenance:
  mitre_atlas: human-reviewed
  owasp_llm: human-reviewed
  owasp_agentic: human-reviewed

compliance:
  eu_ai_act:
    - article: "15"
      context: >
        CVE-2026-47102 lets a low-privilege caller write user_role directly
        at the LiteLLM user-update endpoint and self-promote to proxy_admin;
        Article 15 cybersecurity requirements mandate field-level
        authorization on AI proxy account-management APIs.
      strength: primary
    - article: "9"
      context: "Article 9 (risk management system) requires identified risks to be addressed by appropriate measures; this rule is a runtime risk-treatment control that detects the privilege-escalation technique (LiteLLM User-Role Privilege Escalation (CVE-2026-47102))."
      strength: secondary
  nist_ai_rmf:
    - subcategory: "MP.5.1"
      context: >
        An attacker-controlled user_role write reaching the proxy is an
        adversarial input; MP.5.1 requires scanning user-management payloads
        for unauthorized administrative role escalation.
      strength: primary
    - subcategory: "MG.3.2"
      context: "NIST AI RMF MANAGE 3.2 is supported where this rule detects the privilege-escalation technique (LiteLLM User-Role Privilege Escalation (CVE-2026-47102))."
      strength: secondary
  iso_42001:
    - clause: "8.1"
      context: >
        Operational controls must detect user-management payloads that set an
        administrative user_role at the LiteLLM update endpoint before the
        proxy applies the role change.
      strength: primary
    - clause: "8.3"
      context: "ISO/IEC 42001 Clause 8.3 (AI risk treatment) is supported by this rule, which implements runtime detection of the privilege-escalation technique (LiteLLM User-Role Privilege Escalation (CVE-2026-47102)) as a treatment control."
      strength: secondary

tags:
  category: privilege-escalation
  subcategory: role-write-bypass
  scan_target: llm_io
  confidence: high
  source: cve-disclosure
  vendor_sources: litellm-cve-2026-47102

agent_source:
  type: llm_io
  framework:
    - litellm
    - any
  provider:
    - any

detection:
  condition: any
  false_positives:
    - "Legitimate proxy_admin provisioning a new administrator through /user/update — expected to match; review confirms intent."
    - "Security advisory or PR text quoting the CVE-2026-47102 payload."
    - "User updates that set a non-administrative role (internal_user, internal_user_viewer)."
  conditions:
    - field: content
      operator: regex
      value: '(?i)/user/(?:update|bulk_update)[\s\S]{0,400}["\x27]?user_role["\x27]?\s*[:=]\s*["\x27]?(?:proxy_admin|proxy[_-]admin)\b'
      description: >
        /user/update or /user/bulk_update payload writing user_role to an
        administrative proxy_admin value — direct CVE-2026-47102 escalation.
    - field: content
      operator: regex
      value: '(?i)["\x27]user_role["\x27]\s*:\s*["\x27]proxy_admin["\x27][\s\S]{0,300}["\x27]user_id["\x27]\s*:|["\x27]user_id["\x27]\s*:[\s\S]{0,300}["\x27]user_role["\x27]\s*:\s*["\x27]proxy_admin["\x27]'
      description: >
        A user object pairing a user_id with a user_role of proxy_admin in an
        update body — the bulk_update self-promotion shape.
    - field: content
      operator: regex
      value: '(?i)CVE-2026-47102[\s\S]{0,200}(?:litellm|user_role|proxy_admin|privileg|escalat)'
      description: >
        Explicit CVE-2026-47102 reference combined with LiteLLM role-escalation
        language — attack framing in a skill or tool description.

response:
  actions:
    - alert
    - block_input
  message_template: >
    [ATR-2026-01933] CRITICAL: LiteLLM user_role privilege escalation detected
    (CVE-2026-47102, CWE-269). A user-update payload writes an administrative
    proxy_admin role; LiteLLM before 1.83.10 applies this without field-level
    authorization. Block the request and upgrade LiteLLM to >= 1.83.10.

confidence: 80

wild_fp_rate: 0

test_cases:
  true_positives:
    - input: "POST /user/update {\"user_id\": \"u_self\", \"user_role\": \"proxy_admin\"}"
      expected: triggered
      description: "Low-priv user self-promotes to proxy_admin via /user/update"
    - input: "POST /user/bulk_update {\"users\": [{\"user_id\": \"u_self\", \"user_role\": \"proxy_admin\"}]}"
      expected: triggered
      description: "bulk_update array escalates a user to proxy_admin"
    - input: "Exploiting CVE-2026-47102 on LiteLLM: set user_role to proxy_admin via /user/update to escalate privilege."
      expected: triggered
      description: "Explicit CVE-2026-47102 LiteLLM escalation framing"
  true_negatives:
    - input: "POST /user/update {\"user_id\": \"u_123\", \"max_budget\": 100}"
      expected: not_triggered
      description: "Legitimate budget update, no user_role field"
    - input: "POST /user/update {\"user_id\": \"u_123\", \"user_role\": \"internal_user\"}"
      expected: not_triggered
      description: "Setting a non-administrative role"
    - input: "How do I update a user's role in the LiteLLM proxy?"
      expected: not_triggered
      description: "General question, not an update payload writing proxy_admin"
    - input: "GET /user/info?user_id=u_123"
      expected: not_triggered
      description: "Read-only user lookup"

修訂歷史

建立於
2026-06-26
最後修改
2026-07-02
在 GitHub 查看完整 commit 歷史 →