LiteLLM Vulnerability Chain Lets Low-Privilege Users Take Over AI Gateway Servers

Researchers at Obsidian Security discovered a critical vulnerability chain in LiteLLM, a popular open-source AI gateway used to manage requests across more than 100 large language model providers. The flaw allows low-privilege default accounts to escalate to full administrator access and execute arbitrary code on affected servers.

LiteLLM functions as a reverse proxy, translating API calls into a unified OpenAI-compatible interface while handling authentication and routing. Organizations deploy it to consolidate access to multiple AI models behind a single gateway. The vulnerability chain exposes a severe operational risk. A compromised default account—common in hastily deployed systems—grants attackers the ability to reach full administrative control. Once achieved, the attacker gains access to all provider API keys stored on the server. These credentials unlock direct access to expensive model services across every integrated provider, enabling the attacker to drain API quotas, steal proprietary model outputs, or impersonate legitimate service requests.

The three-stage exploitation chain works by chaining separate flaws that individually might seem minor but collectively create a direct path to system compromise. Attackers exploit the authentication weakness present in default account configurations, then leverage privilege escalation bugs to move laterally within the application, finally reaching code execution capabilities. The attack requires no authentication bypass at the gateway level. Instead, it abuses trust relationships inherent in the proxy's design.

The impact extends beyond financial loss. Attackers could modify model inputs or outputs, inject malicious responses into downstream applications, or access sensitive data passed through API calls. Organizations running LiteLLM in production environments face immediate risk if they have not patched the gateway or secured default credentials.

Obsidian Security's disclosure includes technical details enabling security teams to assess their exposure. Affected organizations should immediately audit LiteLLM deployments for default accounts, apply available patches, and rotate all stored API keys for connected