CVE-2026-40217
Published: 10 April 2026
Description
LiteLLM through 2026-04-08 allows remote attackers to execute arbitrary code via bytecode rewriting at the /guardrails/test_custom_code URI.
Mitigating Controls (NIST 800-53 r5)AI
Directly remediates the bytecode rewriting vulnerability in LiteLLM by applying patches or upgrades as recommended in the x41-dsec advisory.
Prevents exploitation by configuring LiteLLM to disable the unnecessary /guardrails/test_custom_code URI and other non-essential functions.
Blocks arbitrary code execution by validating and sanitizing all inputs submitted to the /guardrails/test_custom_code endpoint to prevent bytecode rewriting.
Security SummaryAI
CVE-2026-40217 is a critical vulnerability in LiteLLM versions through 2026-04-08 that enables remote attackers to execute arbitrary code through bytecode rewriting at the /guardrails/test_custom_code URI. Classified under CWE-420, it carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact across confidentiality, integrity, and availability.
The vulnerability can be exploited by remote attackers with low privileges over the network, requiring low attack complexity and no user interaction. Successful exploitation grants attackers the ability to execute arbitrary code on the affected system, potentially leading to full compromise including data theft, modification, or disruption of services.
The primary advisory from x41-dsec, available at https://www.x41-dsec.de/lab/advisories/x41-2026-001-litellm/, provides further details on the issue. Security practitioners should consult this reference for recommended mitigations and patches.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability allows remote code execution via a specific URI in LiteLLM, a network-exposed service, directly mapping to exploitation of public-facing applications.