Guardrail Sandbox Escape in LiteLLM

60% confidence

Description

The LiteLLM proxy's /guardrails/test_custom_code endpoint allows authenticated users to submit arbitrary Python code for guardrail testing. Regex-based source code filtering is bypassed via string concatenation and CPython bytecode manipulation, enabling arbitrary code execution on the server.

Affected Products

Vendor	Product	Versions
berriai	litellm	main-latest (docker image ghcr.io/berriai/litellm:main-latest, repo digest ghcr.io/berriai/litellm@sha256:bb0639701796218a3447160e55c0f1097446e4e6085df7dfd39f476d4143743f)

Related News (1 articles)

Tier C

oss-security4h ago

X41 Advisory X41-2026-001: Guardrail Sandbox Escape in LiteLLM

→ No new info (linked only)

CISA KEV❌ No

Actively exploited❌ No

CWECWE-94

PublishedApr 9, 2026

Last enriched3h ago

Guardrail Sandbox Escape in LiteLLM

Description

Affected Products

Related News (1 articles)

Community Vote

Pin to Dashboard

Verification

Vulnerability Timeline