CVE-2026-40217: Remote Code Execution via Sandbox Escape in LiteLLM

Vulnerability ID: CVE-2026-40217
CVSS Score: 8.8
Published: 2026-05-11

LiteLLM, an open-source LLM proxy, contains a critical sandbox escape vulnerability in its guardrail testing endpoint. An authenticated attacker can bypass regex-based source-code filtering by leveraging Python object hierarchy traversal and runtime bytecode manipulation, leading to arbitrary code execution as the process owner.

TL;DR

An authenticated RCE vulnerability exists in LiteLLM's /guardrails/test_custom_code endpoint. The custom Python sandbox relies on flawed regex filtering, allowing attackers to rewrite function bytecode and access restricted built-ins to execute system commands.

⚠️ Exploit Status: POC

Technical Details

• CWE ID: CWE-94
• Attack Vector: Network
• CVSS v3.1 Score: 8.8
• EPSS Score: 0.0024
• Impact: Remote Code Execution
• Exploit Status: Proof of Concept (PoC)

Affected Systems

• LiteLLM Proxy
• LiteLLM Docker Containers
• LiteLLM: <= 2026-04-08 (Fixed in: v1.83.10-stable)

Exploit Details

• X41 D-Sec GmbH: Proof of Concept demonstrating Python sandbox escape via MRO and bytecode rewriting.

Mitigation Strategies

• Software Update
• Network Segmentation
• Privilege Reduction
• URI Blocking

Remediation Steps:

1. Identify all running instances of the LiteLLM proxy within the infrastructure.
2. Pull the updated Docker image for LiteLLM version v1.83.10-stable or higher.
3. Redeploy the LiteLLM containers specifying an unprivileged user via the Docker --user flag.
4. Configure the upstream reverse proxy (e.g., Nginx or Traefik) to block POST requests targeting /guardrails/test_custom_code.
5. Verify that the management port (default 4000) is unreachable from the public internet.

References

• X41 D-Sec Security Advisory
• SentinelOne Vulnerability Database
• LiteLLM Release v1.83.10-stable
• CVE Record (CVE.org)

Read the full report for CVE-2026-40217 on our website for more details including interactive diagrams and full exploit analysis.