CVE-2026-47101

Name of the Vulnerable Software and Affected Versions LiteLLM versions prior to 1.83.14

Description An authenticated internal user can create API keys with access to routes not permitted by their role. This occurs because the allowed routes field is stored during key generation without verifying if the specified routes align with the user's permissions. By creating a key with access to admin-only routes, a user can bypass role-based access controls (RBAC)—a mechanism that restricts system access to authorized users—resulting in full privilege escalation from internal user to proxy admin.

Recommendations Update to version 1.83.14 or later.