CVE-2026-40217

HIGH LAB

LiteLLM < 2026-04-08 - Remote Code Execution via Guardrails Test Custom Code Endpoint

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2026-40217. PoCs published by learner202649.

AI-analyzed exploit summary This repository contains a functional exploit for CVE-2026-40217, demonstrating a sandbox escape in LiteLLM's guardrail testing endpoint leading to remote code execution (RCE) as root in default Docker deployments. The exploit leverages CPython bytecode rewriting to bypass regex-based source code filtering.

Description

LiteLLM through 2026-04-08 allows remote attackers to execute arbitrary code via bytecode rewriting at the /guardrails/test_custom_code URI.

Exploits (1)

github WORKING POC

by learner202649 · pythonpoc

https://github.com/learner202649/CVE-2026-40217-PoC

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2026-40217, demonstrating a sandbox escape in LiteLLM's guardrail testing endpoint leading to remote code execution (RCE) as root in default Docker deployments. The exploit leverages CPython bytecode rewriting to bypass regex-based source code filtering.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: LiteLLM ≤ 2026-04-08 (pre-v1.83.11)

Auth required

Prerequisites: authenticated access to the LiteLLM instance · master key or valid authentication token

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed May 19, 2026 Full analysis →

References (1)

Core 1

Core References

https://www.x41-dsec.de/lab/advisories/x41-2026-001-litellm/

Scores

CVSS v3 8.8

EPSS 0.0010

EPSS Percentile 26.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact total

Lab Environment

COMMUNITY

Community Lab

docker pull ghcr.io/berriai/litellm@sha256:7c311546c25e7bb6e8cafede9fcd3d0d622ac636b5c9418befaa32e85dfb0186

docker pull ghcr.io/berriai/litellm:v1.83.11-stable

https://github.com/learner202649/CVE-2026-40217-PoC

View in Library

Details

CWE

CWE-420

Status published

Products (3)

BerriAI/LiteLLM bb0639701796218a3447160e55c0f1097446e4e6085df7dfd39f476d4143743f

litellm/litellm < 2026-04-08

pypi/litellm 1.81.8 - 1.83.10PyPI

Published Apr 10, 2026

Tracked Since Apr 10, 2026