LiteLLM User-Role Privilege Escalation (CVE-2026-47102)
Detects CVE-2026-47102 (CVSS 9.9 chain, CWE-269): LiteLLM's user-management endpoints /user/update and /user/bulk_update modify security-sensitive fields without field-level authorization. A low-privilege authenticated caller (e.g. internal_user) can write the user_role field directly and self-promote to proxy_admin, gaining full administrative control of the LiteLLM proxy. Affected: LiteLLM before 1.83.10. Detection covers: (a) /user/update or /user/bulk_update payload that sets user_role to an administrative role (proxy_admin / admin); (b) the bulk_update array form where a user object escalates user_role; (c) explicit CVE-2026-47102 exploitation framing. The detection target is the request shape — an admin-role write at the user-update endpoint — which is the exact privilege-escalation primitive, caught before the proxy applies the role change.
建議回應
參考資料
偵測條件
組合方式: any- 01/user/update or /user/bulk_update payload writing user_role to an administrative proxy_admin value — direct CVE-2026-47102 escalation.欄位: content運算子: regex
- 02A user object pairing a user_id with a user_role of proxy_admin in an update body — the bulk_update self-promotion shape.欄位: content運算子: regex
- 03Explicit CVE-2026-47102 reference combined with LiteLLM role-escalation language — attack framing in a skill or tool description.欄位: content運算子: regex
攻擊範例(規則會觸發)
POST /user/update {"user_id": "u_self", "user_role": "proxy_admin"}POST /user/bulk_update {"users": [{"user_id": "u_self", "user_role": "proxy_admin"}]}Exploiting CVE-2026-47102 on LiteLLM: set user_role to proxy_admin via /user/update to escalate privilege.
以上為真實攻擊 payload 的脫敏版本,與規則一同版本化,作為 regression test——確保未來的修訂不會悄悄漏掉它們。
正常樣本(規則不會觸發)
- Legitimate budget update, no user_role field
POST /user/update {"user_id": "u_123", "max_budget": 100} - Setting a non-administrative role
POST /user/update {"user_id": "u_123", "user_role": "internal_user"} - General question, not an update payload writing proxy_admin
How do I update a user's role in the LiteLLM proxy?
- Read-only user lookup
GET /user/info?user_id=u_123
已知誤報情境
- ▸Legitimate proxy_admin provisioning a new administrator through /user/update — expected to match; review confirms intent.
- ▸Security advisory or PR text quoting the CVE-2026-47102 payload.
- ▸User updates that set a non-administrative role (internal_user, internal_user_viewer).
完整 YAML 定義
在 GitHub 編輯 →title: "LiteLLM User-Role Privilege Escalation (CVE-2026-47102)"
id: ATR-2026-01933
rule_version: 1
status: draft
description: >
Detects CVE-2026-47102 (CVSS 9.9 chain, CWE-269): LiteLLM's user-management
endpoints /user/update and /user/bulk_update modify security-sensitive
fields without field-level authorization. A low-privilege authenticated
caller (e.g. internal_user) can write the user_role field directly and
self-promote to proxy_admin, gaining full administrative control of the
LiteLLM proxy. Affected: LiteLLM before 1.83.10.
Detection covers:
(a) /user/update or /user/bulk_update payload that sets user_role to an
administrative role (proxy_admin / admin);
(b) the bulk_update array form where a user object escalates user_role;
(c) explicit CVE-2026-47102 exploitation framing.
The detection target is the request shape — an admin-role write at the
user-update endpoint — which is the exact privilege-escalation primitive,
caught before the proxy applies the role change.
author: "ATR Community"
date: "2026/06/26"
schema_version: "0.1"
detection_tier: pattern
maturity: test
severity: critical
references:
owasp_llm:
- "LLM06:2025 - Excessive Agency"
owasp_agentic:
- "ASI06:2026 - Tool Misuse"
- "ASI03:2026 - Privilege Compromise"
mitre_atlas:
- "AML.T0049 - Exploit Public-Facing Application"
mitre_attack:
- "T1068 - Exploitation for Privilege Escalation"
- "T1078 - Valid Accounts"
cve:
- "CVE-2026-47102"
metadata_provenance:
mitre_atlas: human-reviewed
owasp_llm: human-reviewed
owasp_agentic: human-reviewed
compliance:
eu_ai_act:
- article: "15"
context: >
CVE-2026-47102 lets a low-privilege caller write user_role directly
at the LiteLLM user-update endpoint and self-promote to proxy_admin;
Article 15 cybersecurity requirements mandate field-level
authorization on AI proxy account-management APIs.
strength: primary
- article: "9"
context: "Article 9 (risk management system) requires identified risks to be addressed by appropriate measures; this rule is a runtime risk-treatment control that detects the privilege-escalation technique (LiteLLM User-Role Privilege Escalation (CVE-2026-47102))."
strength: secondary
nist_ai_rmf:
- subcategory: "MP.5.1"
context: >
An attacker-controlled user_role write reaching the proxy is an
adversarial input; MP.5.1 requires scanning user-management payloads
for unauthorized administrative role escalation.
strength: primary
- subcategory: "MG.3.2"
context: "NIST AI RMF MANAGE 3.2 is supported where this rule detects the privilege-escalation technique (LiteLLM User-Role Privilege Escalation (CVE-2026-47102))."
strength: secondary
iso_42001:
- clause: "8.1"
context: >
Operational controls must detect user-management payloads that set an
administrative user_role at the LiteLLM update endpoint before the
proxy applies the role change.
strength: primary
- clause: "8.3"
context: "ISO/IEC 42001 Clause 8.3 (AI risk treatment) is supported by this rule, which implements runtime detection of the privilege-escalation technique (LiteLLM User-Role Privilege Escalation (CVE-2026-47102)) as a treatment control."
strength: secondary
tags:
category: privilege-escalation
subcategory: role-write-bypass
scan_target: llm_io
confidence: high
source: cve-disclosure
vendor_sources: litellm-cve-2026-47102
agent_source:
type: llm_io
framework:
- litellm
- any
provider:
- any
detection:
condition: any
false_positives:
- "Legitimate proxy_admin provisioning a new administrator through /user/update — expected to match; review confirms intent."
- "Security advisory or PR text quoting the CVE-2026-47102 payload."
- "User updates that set a non-administrative role (internal_user, internal_user_viewer)."
conditions:
- field: content
operator: regex
value: '(?i)/user/(?:update|bulk_update)[\s\S]{0,400}["\x27]?user_role["\x27]?\s*[:=]\s*["\x27]?(?:proxy_admin|proxy[_-]admin)\b'
description: >
/user/update or /user/bulk_update payload writing user_role to an
administrative proxy_admin value — direct CVE-2026-47102 escalation.
- field: content
operator: regex
value: '(?i)["\x27]user_role["\x27]\s*:\s*["\x27]proxy_admin["\x27][\s\S]{0,300}["\x27]user_id["\x27]\s*:|["\x27]user_id["\x27]\s*:[\s\S]{0,300}["\x27]user_role["\x27]\s*:\s*["\x27]proxy_admin["\x27]'
description: >
A user object pairing a user_id with a user_role of proxy_admin in an
update body — the bulk_update self-promotion shape.
- field: content
operator: regex
value: '(?i)CVE-2026-47102[\s\S]{0,200}(?:litellm|user_role|proxy_admin|privileg|escalat)'
description: >
Explicit CVE-2026-47102 reference combined with LiteLLM role-escalation
language — attack framing in a skill or tool description.
response:
actions:
- alert
- block_input
message_template: >
[ATR-2026-01933] CRITICAL: LiteLLM user_role privilege escalation detected
(CVE-2026-47102, CWE-269). A user-update payload writes an administrative
proxy_admin role; LiteLLM before 1.83.10 applies this without field-level
authorization. Block the request and upgrade LiteLLM to >= 1.83.10.
confidence: 80
wild_fp_rate: 0
test_cases:
true_positives:
- input: "POST /user/update {\"user_id\": \"u_self\", \"user_role\": \"proxy_admin\"}"
expected: triggered
description: "Low-priv user self-promotes to proxy_admin via /user/update"
- input: "POST /user/bulk_update {\"users\": [{\"user_id\": \"u_self\", \"user_role\": \"proxy_admin\"}]}"
expected: triggered
description: "bulk_update array escalates a user to proxy_admin"
- input: "Exploiting CVE-2026-47102 on LiteLLM: set user_role to proxy_admin via /user/update to escalate privilege."
expected: triggered
description: "Explicit CVE-2026-47102 LiteLLM escalation framing"
true_negatives:
- input: "POST /user/update {\"user_id\": \"u_123\", \"max_budget\": 100}"
expected: not_triggered
description: "Legitimate budget update, no user_role field"
- input: "POST /user/update {\"user_id\": \"u_123\", \"user_role\": \"internal_user\"}"
expected: not_triggered
description: "Setting a non-administrative role"
- input: "How do I update a user's role in the LiteLLM proxy?"
expected: not_triggered
description: "General question, not an update payload writing proxy_admin"
- input: "GET /user/info?user_id=u_123"
expected: not_triggered
description: "Read-only user lookup"