CVE-2026-40217: LiteLLM has a sandbox escape in custom-code guardrail

May 11, 2026

The POST /guardrails/test_custom_code endpoint runs user-supplied Python inside a hand-rolled sandbox. The sandbox can be escaped using bytecode-level techniques, allowing arbitrary code execution in the proxy process — which runs as root in the default Docker image.

Reaching the endpoint requires a proxy-admin credential in default configurations.

References

github.com/BerriAI/litellm/releases/tag/v1.83.10-stable
github.com/BerriAI/litellm/security/advisories/GHSA-wxxx-gvqv-xp7p
github.com/advisories/GHSA-wxxx-gvqv-xp7p
nvd.nist.gov/vuln/detail/CVE-2026-40217
www.x41-dsec.de/lab/advisories/x41-2026-001-litellm

Code Behaviors & Features

Detect and mitigate CVE-2026-40217 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →