CVE-2026-40217
LiteLLM has a sandbox escape in custom-code guardrail
Description
### Impact The `POST /guardrails/test_custom_code` endpoint runs user-supplied Python inside a hand-rolled sandbox. The sandbox can be escaped using bytecode-level techniques, allowing arbitrary code execution in the proxy process — which runs as root in the default Docker image. **Reaching the endpoint requires a proxy-admin credential** in default configurations. ### Patches Fixed in **`1.83.11`**. The hand-rolled sandbox has been replaced with `RestrictedPython`. Upgrade to `1.83.11` or later. ### Workarounds If upgrading is not immediately possible, block `POST /guardrails/test_custom_code` at your reverse proxy or API gateway. ### References - Patched release: [`v1.83.10-stable`](https://github.com/BerriAI/litellm/releases/tag/v1.83.10-stable)
How to fix CVE-2026-40217
To remediate CVE-2026-40217, upgrade the affected package to a fixed version below.
- —upgrade to 1.83.10 or later
Is CVE-2026-40217 being exploited?
Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- >= 1.81.8, < 1.83.10
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
| osv | CVSS 3.1 | HIGH8.8 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |