{"vulnerability": "cve-2026-4021", "sightings": [{"uuid": "5fc01688-40e9-444e-833b-59e21f3b8943", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-4021", "type": "seen", "source": "https://bsky.app/profile/cve.skyfleet.blue/post/3mhrbw2jt5724", "content": "", "creation_timestamp": "2026-03-24T00:09:46.730054Z"}, {"uuid": "6a3a6567-1f6c-44a5-933e-a53ae6a2b394", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-40212", "type": "seen", "source": "https://bsky.app/profile/cve.skyfleet.blue/post/3mj53dzfqnr2q", "content": "", "creation_timestamp": "2026-04-10T10:09:27.361773Z"}, {"uuid": "98fc3d4d-53c7-4a46-b20c-40cddfea2db4", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-4021", "type": "seen", "source": "https://bsky.app/profile/thehackerwire.bsky.social/post/3mhrchlqftr2e", "content": "", "creation_timestamp": "2026-03-24T00:19:35.957251Z"}, {"uuid": "cd2a3c4a-40a5-43a6-9de9-aec6744258db", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-40213", "type": "seen", "source": "https://bsky.app/profile/cve.skyfleet.blue/post/3mlcjjhsyd62k", "content": "CVE-2026-40213 - OpenStack Cyborg Default Policy Authorization Bypass\nCVE ID : CVE-2026-40213\n \n Published : May 7, 2026, 10:16 p.m. | 2\u00a0hours, 9\u00a0minutes ago\n \n Description : OpenStack Cyborg before 16.0.1 uses rule:allow (check_str='@') as the default policy for multiple API ...", "creation_timestamp": "2026-05-08T00:56:44.826109Z"}, {"uuid": "d999fdba-3fdb-47d4-b2c2-b4c732f8508f", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-40217", "type": "seen", "source": "https://bsky.app/profile/cyberhub.blog/post/3mkjc3k7ttb2z", "content": "", "creation_timestamp": "2026-04-28T00:07:07.902916Z"}, {"uuid": "9ac10384-b0e8-4a93-9399-5d6a0554d6c1", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-40213", "type": "seen", "source": "https://bsky.app/profile/infosec.skyfleet.blue/post/3mlbwiqouav2m", "content": "[OSSA-2026-011] OpenStack Cyborg: Multiple access control vulnerabilities in Cyborg accelerator management (CVE-2026-40213, CVE-2026-40214)", "creation_timestamp": "2026-05-07T19:16:19.234786Z"}, {"uuid": "31f94d52-246e-4659-883b-35f9e199bf41", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-40214", "type": "seen", "source": "https://bsky.app/profile/infosec.skyfleet.blue/post/3mlbwiqouav2m", "content": "[OSSA-2026-011] OpenStack Cyborg: Multiple access control vulnerabilities in Cyborg accelerator management (CVE-2026-40213, CVE-2026-40214)", "creation_timestamp": "2026-05-07T19:16:19.426389Z"}, {"uuid": "17b887a5-7c47-4bba-b246-41756975b683", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-40217", "type": "seen", "source": "https://bsky.app/profile/cve.skyfleet.blue/post/3mj5nnyqjgd2j", "content": "", "creation_timestamp": "2026-04-10T15:37:09.730534Z"}, {"uuid": "65e9e1d3-5451-4159-a24a-c41a41e7c142", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-40217", "type": "seen", "source": "https://bsky.app/profile/thehackerwire.bsky.social/post/3mj7lcnmbmh2w", "content": "", "creation_timestamp": "2026-04-11T10:00:21.433893Z"}, {"uuid": "fcd3a608-5d5c-41f7-8d3d-ccbdfd3d5da7", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-40217", "type": "seen", "source": "Telegram/BHjpIBo0iRlJvCTjCc1tWATK3ONpTPYFFDHwGYF-bIOT41U", "content": "", "creation_timestamp": "2026-04-10T15:17:37.000000Z"}, {"uuid": "a7438769-8622-4716-a722-c4193d087d8d", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-40214", "type": "seen", "source": "https://bsky.app/profile/cve.skyfleet.blue/post/3mlcjmtmgth2o", "content": "CVE-2026-40214 - OpenStack Cyborg Accelerator Request API Cross-Tenant Denial of Service\nCVE ID : CVE-2026-40214\n \n Published : May 7, 2026, 10:16 p.m. | 2\u00a0hours, 9\u00a0minutes ago\n \n Description : In OpenStack Cyborg before 16.0.1, the Accelerator Request (ARQ) API does not enfor...", "creation_timestamp": "2026-05-08T00:58:37.553150Z"}, {"uuid": "720c1245-8d16-42c2-a2c5-4b4d8ebc0657", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-40217", "type": "seen", "source": "https://gist.github.com/alon710/37ecce29751bae48629dbc52c1e489d5", "content": "# CVE-2026-40217: CVE-2026-40217: Remote Code Execution via Sandbox Escape in LiteLLM\n\n> **CVSS Score:** 8.8\n> **Published:** 2026-05-11\n> **Full Report:** https://cvereports.com/reports/CVE-2026-40217\n\n## Summary\nLiteLLM, an open-source LLM proxy, contains a critical sandbox escape vulnerability in its guardrail testing endpoint. An authenticated attacker can bypass regex-based source-code filtering by leveraging Python object hierarchy traversal and runtime bytecode manipulation, leading to arbitrary code execution as the process owner.\n\n## TL;DR\nAn authenticated RCE vulnerability exists in LiteLLM's `/guardrails/test_custom_code` endpoint. The custom Python sandbox relies on flawed regex filtering, allowing attackers to rewrite function bytecode and access restricted built-ins to execute system commands.\n\n## Exploit Status: POC\n\n## Technical Details\n\n- **CWE ID**: CWE-94\n- **Attack Vector**: Network\n- **CVSS v3.1 Score**: 8.8\n- **EPSS Score**: 0.0024\n- **Impact**: Remote Code Execution\n- **Exploit Status**: Proof of Concept (PoC)\n\n## Affected Systems\n\n- LiteLLM Proxy\n- LiteLLM Docker Containers\n- **LiteLLM**: <= 2026-04-08 (Fixed in: `v1.83.10-stable`)\n\n## Mitigation\n\n- Software Update\n- Network Segmentation\n- Privilege Reduction\n- URI Blocking\n\n**Remediation Steps:**\n1. Identify all running instances of the LiteLLM proxy within the infrastructure.\n2. Pull the updated Docker image for LiteLLM version v1.83.10-stable or higher.\n3. Redeploy the LiteLLM containers specifying an unprivileged user via the Docker `--user` flag.\n4. Configure the upstream reverse proxy (e.g., Nginx or Traefik) to block POST requests targeting `/guardrails/test_custom_code`.\n5. Verify that the management port (default 4000) is unreachable from the public internet.\n\n## References\n\n- [X41 D-Sec Security Advisory](https://www.x41-dsec.de/lab/advisories/x41-2026-001-litellm/)\n- [SentinelOne Vulnerability Database](https://www.sentinelone.com/vulnerability-database/cve-2026-40217/)\n- [LiteLLM Release v1.83.10-stable](https://github.com/BerriAI/litellm/releases/tag/v1.83.10-stable)\n- [CVE Record (CVE.org)](https://www.cve.org/CVERecord?id=CVE-2026-40217)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/CVE-2026-40217) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-05-11T17:10:29.000000Z"}, {"uuid": "93e96dba-3704-4f6c-8592-c285c6fc101c", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-40217", "type": "published-proof-of-concept", "source": "Telegram/SM41ZgDjE5GCx8_K5BndOjKQZfdnq7khstyXQtIQ9aWd83s", "content": "", "creation_timestamp": "2026-05-19T21:00:04.000000Z"}]}