PT-2026-42539 · Litellm · Litellm
Published
2026-05-21
·
Updated
2026-06-16
·
CVE-2026-47102
CVSS v3.1
8.8
High
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
LiteLLM versions prior to 1.83.10
Description
An issue exists where the '/user/update' endpoint does not restrict which fields a user can modify when updating their own account. This allows a user to change their
user role to proxy admin, granting full administrative access to all users, teams, keys, models, and prompt history. Users with the org admin role can exploit this directly as they have legitimate access to the endpoint.Recommendations
Update to version 1.83.10 or later.
As a temporary workaround, restrict access to the '/user/update' endpoint to prevent unauthorized modification of the
user role variable.Exploit
Fix
LPE
Incorrect Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Litellm