LiteLLM v1.83.13 Default internal_user Grants Full AI Gateway Takeover via Three-CVE Chain

LiteLLM functions as an OpenAI-compatible proxy for over 100 model providers. Researchers at Obsidian Security chained an unchecked allowed_routes write on key creation with unrestricted field updates on /user/update and unsandboxed Python exec in custom guardrails. The path required no initial admin rights and yielded the master decryption key plus callback rewrite capability for response forgery. CVSS for the full chain reached 9.9.

Procurement records and GitHub commit logs show LiteLLM deployments accelerating inside enterprise AI stacks without corresponding network segmentation or key rotation policies. The same unchecked write pattern appeared across three separate key-management endpoints, indicating the authorization model was never subjected to role-based testing. X41 D-Sec independently confirmed an alternate bytecode bypass on the test endpoint.

Official release notes list the fix in v1.83.14-stable dated May 2, yet container images and Helm charts lagged by weeks. The exposure surface is wider than credential theft: an attacker controlling callbacks can inject forged tool calls that bypass downstream safety filters, a capability absent from most AI gateway threat models.

Organizations must inventory LiteLLM instances, revoke default internal_user accounts, and enforce network egress controls on the proxy. Continued reliance on unaudited extension points such as callbacks will repeat the same supply-chain exposure as organizations scale agent workloads.