PyPI: litellm

CVE-2026-40217

Safety vulnerability ID: SFTY-20260511-02826

Safety legacy ID: pyup.io-96900

Affected versions of the litellm package are vulnerable to Sandbox Escape due to an insufficient hand-rolled sandbox in the custom-code guardrail testing endpoint. The POST /guardrails/test_custom_code endpoint executes user-supplied Python code within a custom sandbox that can be bypassed using bytecode-level techniques, allowing arbitrary code execution in the proxy process. An attacker with proxy-admin credentials can escape the sandbox to achieve arbitrary code execution, which runs as root in the default Docker image.

PythonPyPINVDNVDGitHubGHSA
Created at: May 11, 2026Updated at: May 11, 2026

Overview

LiteLLM has a sandbox escape in custom-code guardrail

Advisory

Affected versions of the litellm package are vulnerable to Sandbox Escape due to an insufficient hand-rolled sandbox in the custom-code guardrail testing endpoint. The POST /guardrails/test_custom_code endpoint executes user-supplied Python code within a custom sandbox that can be bypassed using bytecode-level techniques, allowing arbitrary code execution in the proxy process. An attacker with proxy-admin credentials can escape the sandbox to achieve arbitrary code execution, which runs as root in the default Docker image.

Affected Package

Affecting litellm package, versions
>=1.81.8,<1.83.10

Also affects

---

How to Fix

Upgrade
litellm
to
1.83.10
or higher.

Mitigation and Workarounds

---

Vulnerable Functions

Functions linked to known vulnerabilities.

Vulnerable function data is available for Enterprise customers

Book a call with us to see Safety in action.

References

Safety

Verified by Safety

Our Cybersecurity Intelligence Team reviewed this vulnerability. We combine public data with our own research to find issues not yet reported to public sources.

Learn more