Broken Access Control in LiteLLM /config/update Endpoint

Repository is a standalone Python PoC for CVE-2026-35029, a broken access control issue in LiteLLM < 1.83.0 where authenticated non-admin users can call /config/update without the required proxy_admin role. The repo contains 11 files: documentation (README.md, docs/advisory.md, screenshots/README.md), environment orchestration (docker-compose.yml, litellm_config.yaml, requirements.txt), an attacker exfiltration service (exfil-server/Dockerfile and exfil-server/server.py), and exploit logic (exploit/exploit.py and exploit/payload.py). The main exploit flow in exploit/exploit.py uses requests to: verify target reachability, POST malicious JSON to /config/update, register pass-through endpoints, trigger those endpoints, and then fetch attacker-side logs from /logs. payload.py builds three malicious config payloads: one for environment variable exfiltration by mapping headers like X-Exfil-*-VAR to os.environ/VAR, one for file-read style abuse using LANGFUSE-related headers, and one for overwriting UI credentials. The included exfiltration server is a simple Python HTTP server that listens on port 9999, logs all inbound headers/body, exposes /health and /logs, and base64-decodes selected header values for easier inspection. docker-compose.yml creates a reproducible lab with PostgreSQL, a vulnerable LiteLLM image pinned by digest on port 4000, an optional fixed LiteLLM on port 4001, and the attacker exfiltration server on port 9999. The exploit’s primary demonstrated capability is unauthorized configuration modification leading to secret exfiltration (e.g., LITELLM_MASTER_KEY, DATABASE_URL, AWS_SECRET_ACCESS_KEY, OPENAI_API_KEY). The repository also documents additional impact including arbitrary file read, admin credential overwrite, and possible RCE through attacker-controlled pass-through handlers. Overall, this is a real operational PoC rather than a detector: it actively changes target configuration and exfiltrates data to attacker infrastructure.