LiteLLM guardrails endpoint sandbox escape enables authenticated RCE
TL;DR — LiteLLM’s /guardrails/test_custom_code endpoint can be abused to escape its intended restrictions and execute attacker-controlled code on the server via bytecode rewriting techniques.
What happened
LiteLLM is an open-source LLM proxy that provides an OpenAI-compatible API and operational features like routing, rate limiting, and “guardrails” for filtering requests/responses. CVE-2026-40217 describes a High-severity remote code execution path in LiteLLM where attackers can execute arbitrary code by abusing the guardrails “test custom code” API.
The CVE record states that LiteLLM through 2026-04-08 allows code execution via bytecode rewriting at the /guardrails/test_custom_code URI. The referenced X41 advisory (X41-2026-001) provides a concrete bypass narrative: the endpoint accepts user-supplied Python code intended for guardrail testing and attempts to restrict dangerous operations using regex-based source filtering, which can be bypassed by constructing blocked identifiers dynamically and rewriting CPython bytecode to reach real builtins (e.g., __import__).
| Item | Source value |
|---|---|
| Affected software | LiteLLM (BerriAI) |
| Vulnerable surface | POST /guardrails/test_custom_code |
| Impact | Arbitrary code execution on the LiteLLM server via bytecode rewriting |
| Severity | CVSS v3.1 8.8 (High) |
| Affected scope (as described) | CVE: “through 2026-04-08”; X41 confirmed affected: ghcr.io/berriai/litellm:main-latest (digest sha256:bb063...743f) |
| CWE labeling | CVE record: CWE-420; X41 advisory: CWE-94 |
Why this matters: “sandboxing” custom code via string/regex filtering is a recurring anti-pattern; once attackers can reach Python builtins, it frequently becomes full code execution with the privileges of the running service (often elevated in container defaults).
Who is impacted
- Deployments exposing LiteLLM’s management/guardrails functionality where users can reach
/guardrails/test_custom_code. - Environments where authenticated but non-fully-trusted users or services can call admin/guardrails endpoints (the CVSS vector for CVE-2026-40217 indicates
PR:L). - Higher-risk installations where the LiteLLM process runs with broad privileges (e.g., container setups where the service runs as
root, as highlighted by the X41 advisory’s default Docker example). - Teams treating guardrails as a hard isolation boundary for running untrusted “custom code” rather than as a best-effort policy layer.
What to do now
- Follow vendor remediation guidance and apply the latest patched release available at the time of writing (the CVE record does not list a fixed version).
- Treat this as a reachable code-execution surface and reduce exposure until a vendor patch is confirmed:
- Block or disable access to
POST /guardrails/test_custom_codeat the reverse proxy / gateway layer. - Restrict who can authenticate to LiteLLM’s administrative interfaces and ensure the master/admin credentials are not shared broadly.
- Limit network reachability of the LiteLLM admin port to trusted hosts only (firewalls / security groups / private networks).
- Reduce blast radius by running the service as a non-root user where operationally feasible.
- Block or disable access to
- If compromise is suspected, review audit logs and HTTP access logs for requests to
/guardrails/test_custom_code, and rotate secrets accessible to the LiteLLM runtime (LLM provider keys, database credentials, downstream service tokens).
"No vendor patch is available at the time of publication."
Content is AI-assisted and reviewed by our team, but issues may be missed and best practices evolve rapidly, send corrections to [email protected]. Always consult official documentation and validate key implementation decisions before making design or security choices.