3 matches found
GHSA-QRC4-49GV-MV9M LiteLLM allows an authenticated internal_user to create API keys with access to routes that their role does not permit
LiteLLM prior to 1.83.14 allows an authenticated internaluser to create API keys with access to routes that their role does not permit. When generating a key, the allowedroutes field is stored without verifying that the specified routes fall within the user's own permissions. A key created with...
EUVD-2026-31345
LiteLLM prior to 1.83.10 allows a user to modify their own userrole via the /user/update endpoint. While the endpoint correctly restricts users to updating only their own account, it does not restrict which fields may be changed. A user who can reach this endpoint can set their role to proxyadmin...
EUVD-2026-21376
LiteLLM has a sandbox escape in custom-code guardrail...