<Vulnerability name="CVE-2026-59821">
    <DocumentDistribution xml:lang="en">Copyright © 2012 Red Hat, Inc. All rights reserved.</DocumentDistribution>
    <ThreatSeverity>Important</ThreatSeverity>
    <PublicDate>2026-07-08T19:14:13</PublicDate>
    <Bugzilla id="2498202" url="https://bugzilla.redhat.com/show_bug.cgi?id=2498202" xml:lang="en:us">
litellm: LiteLLM: Arbitrary code execution and information disclosure via custom code guardrails
    </Bugzilla>
    <CVSS3 status="draft">
        <CVSS3BaseScore>7.2</CVSS3BaseScore>
        <CVSS3ScoringVector>CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H</CVSS3ScoringVector>
    </CVSS3>
    <CWE>CWE-94</CWE>
    <Details xml:lang="en:us" source="Mitre">
LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. Prior to 1.82.0-stable, LiteLLM's Custom Code Guardrails production create and update paths did not apply the same sandboxing and validation used by the test endpoint, allowing a privileged user with access to create or update guardrails to submit custom Python code that executed in the LiteLLM proxy environment and could expose secrets available to the process. This issue is fixed in version 1.82.0-stable.
    </Details>
    <Details xml:lang="en:us" source="Red Hat">
A flaw was found in LiteLLM, a proxy server for Large Language Model (LLM) APIs. A privileged user with access to create or update custom code guardrails could exploit this vulnerability. The flaw allowed the user to submit custom Python code that would execute within the LiteLLM proxy environment, potentially exposing sensitive information or secrets accessible to the process.
    </Details>
    <Statement xml:lang="en:us">
Red Hat rates this flaw with higher severity than the upstream GitHub Security Advisory (GHSA-72m8-9m7m-h278, CVSS v4.0 2.1, Low). Red Hat scored this CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H (7.2, Important) because a successful exploit grants arbitrary Python code execution within the LiteLLM proxy process, resulting in full compromise of the confidentiality, integrity, and availability of that component, including exposure of any secrets accessible to the process. Exploitation requires an authenticated caller with privileges to create or update LiteLLM Custom Code Guardrails, which is a proxy-administrator-level capability in default configurations.
    </Statement>
    <Mitigation xml:lang="en:us">
Upgrade litellm to 1.82.0 or later, which enforces the same code-safety checks on the guardrail create/update endpoints as the test endpoint. If upgrading is not immediately possible, restrict access to POST /guardrails and PUT /guardrails/{guardrail_id} to trusted administrators only, ensure LITELLM_MASTER_KEY is configured so unauthenticated callers are not treated as proxy administrators, and avoid enabling Custom Code Guardrails for untrusted users.
    </Mitigation>
    <PackageState cpe="cpe:/a:redhat:exploit_intelligence:0">
        <ProductName>Exploit Intelligence</ProductName>
        <FixState>Not affected</FixState>
        <PackageName>exploit-intelligence-tech-preview/vulnerability-analysis-rhel9</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:lightspeed_core">
        <ProductName>Lightspeed Core</ProductName>
        <FixState>Not affected</FixState>
        <PackageName>lightspeed-core/lightspeed-stack-rhel9</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:ansible_automation_platform:2">
        <ProductName>Red Hat Ansible Automation Platform 2</ProductName>
        <FixState>Not affected</FixState>
        <PackageName>ansible-automation-platform-26/lightspeed-chatbot-rhel9</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:ansible_automation_platform:2">
        <ProductName>Red Hat Ansible Automation Platform 2</ProductName>
        <FixState>Not affected</FixState>
        <PackageName>ansible-automation-platform-27/lightspeed-chatbot-rhel9</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:openshift_ai">
        <ProductName>Red Hat OpenShift AI (RHOAI)</ProductName>
        <FixState>Not affected</FixState>
        <PackageName>rhoai/odh-llama-stack-core-rhel9</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:openshift_ai">
        <ProductName>Red Hat OpenShift AI (RHOAI)</ProductName>
        <FixState>Not affected</FixState>
        <PackageName>rhoai/odh-mlflow-rhel9</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:openshift_ai">
        <ProductName>Red Hat OpenShift AI (RHOAI)</ProductName>
        <FixState>Not affected</FixState>
        <PackageName>rhoai/odh-trustyai-garak-lls-provider-dsp-rhel9</PackageName>
    </PackageState>
    <References xml:lang="en:us">
https://www.cve.org/CVERecord?id=CVE-2026-59821
https://nvd.nist.gov/vuln/detail/CVE-2026-59821
https://github.com/BerriAI/litellm/commit/e50b4486d0f7aa0497185a1ebcdd2c91f1769eba
https://github.com/BerriAI/litellm/releases/tag/v1.82.0-stable
https://github.com/BerriAI/litellm/security/advisories/GHSA-72m8-9m7m-h278
    </References>
</Vulnerability>