HomeCVE Intelligence › CVE-2026-40217
CVSS 8.8 HIGH Vulnerability

CVE-2026-40217: LiteLLM has a sandbox escape in custom-code guardrail

Impact The POST /guardrails/test_custom_code endpoint runs user-supplied Python inside a hand-rolled sandbox. The sandbox can be escaped using bytecode-level techniques, allowing arbitrary code execution in the proxy pr…

8.8CVSS Score
HIGHSeverity
NOCISA KEV
VulnerabilityImpact Type

📋 Vulnerability Details

CVE IDCVE-2026-40217
Vendorpip
Affected Productlitellm
Vulnerability TypeVulnerability
CVSS Score8.8 (HIGH)
Actively Exploited❌ No known exploitation
Patch StatusSee Vendor Advisory →
Reported ByCYBERDUDEBIVASH SENTINEL APEX Intelligence (via github_advisories)

🔬 Technical Analysis

#

Impact The POST /guardrails/test_custom_code endpoint runs user-supplied Python inside a hand-rolled sandbox. The sandbox can be escaped using bytecode-level techniques, allowing arbitrary code execution in the proxy process — which runs as root in the default Docker image. Reaching the endpoint requires a proxy-admin credential in default configurations.

Patches Fixed in 1.83.11. The hand-rolled sandbox has been replaced with RestrictedPython. Upgrade to 1.83.11 or later.

Workarounds If upgrading is not immediately possible, block POST /guardrails/test_custom_code at your reverse proxy or API gateway.

References - Patched release: [v1.83.10-stable](https://github.com/BerriAI/litellm/releases/tag/v1.83.10-stable)

🎯 Known Indicators of Compromise

{"type":"url","value":"https://github.com/BerriAI/litellm/releases/tag/v1.83.10-stable)","confidence_score":0.82,"first_seen":"2026-05-11","source_count":1}

📚 Advisory References

⚡ DETECTION RULES AVAILABLE

Get CVE-2026-40217 Detection Pack

Sigma rules, YARA signatures, IOC table, and SIEM queries for Splunk, Elastic, Sentinel, and Chronicle — deployable in 5 minutes.

✓ Sigma Rules ✓ YARA Pack ✓ IOC Table ✓ SIEM Queries
🛡️ Get Detection Pack → 🔌 Access via API →

🔗 Related Intelligence