13Ph03Nix

**Name of the Vulnerable Software and Affected Versions** LiteLLM versions prior to 1.83.14 **Description** An authenticated `internal user` can create API keys with access to routes not permitted by their role. This occurs because the `allowed routes` field is stored during key generation without verifying if the specified routes align with the user's permissions. By creating a key with access to admin-only routes, a user can bypass role-based access controls (RBAC)—a mechanism that restricts system access to authorized users—resulting in full privilege escalation from `internal user` to `proxy admin`. **Recommendations** Update to version 1.83.14 or later.