LiteLLM Flaw Lets Any User Seize Full Admin Control
Today's cybersecurity digest — CVEs, headline news, quantum computing, and something weird. May 23, 2026
cybr.cx | Daily Digest — May 23, 2026
Critical Vulnerabilities
CVE-2026-47102 — LiteLLM < 1.83.10 | CVSS 8.8 (HIGH)
Any authenticated user can hit /user/update and set their own user_role to proxy_admin, granting full administrative access to all users, teams, API keys, models, and prompts. No special privileges are required to trigger this — just a valid account. If you're running LiteLLM as a shared AI gateway, assume blast radius is total. Patch to 1.83.10 or later immediately.
CVE-2026-47101 — LiteLLM < 1.83.14 | CVSS 8.8 (HIGH)
A closely related flaw in LiteLLM allows an internal_user to mint API keys with access to admin-only routes by supplying arbitrary values in the allowed_routes field during key creation — no validation is performed against the creator's own permissions. The resulting key works as intended, bypassing RBAC entirely. Patch to 1.83.14; audit any API keys created by non-admin users in the interim.
CVE-2026-9018 — Easy Elements for Elementor ≤ 1.4.5 (WordPress) | CVSS 8.8 (HIGH)
The plugin's registration AJAX handler iterates an attacker-controlled custom_meta POST array and writes every key-value pair directly to the new user's account metadata — no sanitisation, no field allowlist. An unauthenticated attacker can register an account and simultaneously assign themselves administrator-level capabilities. Privilege escalation to admin with zero prior access is the outcome. Update or remove the plugin now.
CVE-2026-4834 — WP ERP Pro ≤ 1.5.1 (WordPress) | CVSS 7.5 (HIGH)
The search_key parameter is insufficiently escaped before being passed into SQL queries, allowing unauthenticated attackers to append arbitrary SQL. Depending on database permissions and configuration, this could expose sensitive HR and business data stored by the plugin. Standard SQLi remediation applies: update to 1.5.2+, review database user privileges, and check logs for unusual query patterns.
Headline News
Single-click RCE in widely-used Linux document viewers
A critical argument injection vulnerability — CVE-2026-46529 — has been disclosed in Evince, Atril, and Xreader, three of the most common document viewer applications across Linux desktop environments. The flaw stems from missing shell quoting when the applications compose a command line, meaning a maliciously crafted document can achieve code execution with a single click from the victim. The attack surface is broad: these viewers ship as default applications in GNOME, MATE, and XFCE-based distributions, meaning a phishing email with a weaponised PDF or ebook attachment is a fully viable delivery mechanism. A proof-of-concept has already been published. Linux desktop administrators and security teams supporting developer environments should prioritise patching and consider reviewing file handler configurations as a short-term mitigation.
Massive supply chain attack poisons over 5,500 GitHub repositories via CI/CD commits
In a six-hour window, malicious commits were injected into 5,561 GitHub repositories, with the changes deliberately crafted to resemble routine bot-generated maintenance activity — the kind of noise that typically flies under reviewers' radar. The scale and speed of the campaign suggest automation and pre-positioned access, pointing toward either compromised OAuth tokens, malicious GitHub Apps, or a vulnerability in a widely-used CI/CD integration. For practitioners, the immediate action is auditing recent commits from bot accounts and reviewing which third-party GitHub Apps have write access to your repositories. This incident reinforces that CI/CD pipelines remain a high-value, under-monitored attack surface — and that commit signing and pipeline integrity controls are no longer optional for security-conscious teams.
Harvard and 140 other legitimate sites weaponised in coordinated campaign
More than 140 legitimate, high-reputation websites — including Harvard University infrastructure — have been compromised and are being actively used in what appears to be a coordinated campaign, likely for SEO poisoning, malware distribution, or phishing lure hosting. The use of trusted domains is deliberate: reputation-based web filtering and user intuition both fail when the malicious content is served from a .edu or established institutional domain. For defenders, this is a reminder that allowlisting by domain reputation alone is insufficient, and that content inspection and sandboxing remain essential layers. Incident responders should also check whether any of the compromised domains are referenced in their organisation's trusted sender lists or browser security policies.
Schrödinger's Feed
Logical qubits just beat physical qubits at a real task — and that's a bigger deal than it sounds
Pasqal, working with Université Paris-Saclay and the Institut d'Optique, has published benchmarks showing error-detected logical qubits outperforming their physical counterparts when solving differential equations using a quantum kernel-based machine learning algorithm. This matters because logical qubits — which use error correction to produce more reliable computation — have historically carried enough overhead to perform worse than raw physical qubits in practice; crossing that threshold is a genuine milestone on the road to fault-tolerant quantum computing. The cryptographic relevance is straightforward: the algorithms that threaten RSA and ECC (Shor's) and those that weaken symmetric encryption (Grover's) require fault-tolerant machines to be practical at scale. Practitioners implementing post-quantum cryptography migration programmes should note that timelines are compressing — this is the kind of incremental hardware proof that closes the gap between theory and threat.
/dev/random
A popular developer essay this week makes the case that AI tools have a "multiplying effect" on existing technical skill — meaning a competent engineer gets dramatically more capable, while someone with shaky fundamentals mostly produces shaky output faster. The security implications are left as an exercise for the reader, but it does explain a few recent penetration test reports. The more interesting corollary for the security industry: if AI multiplies skill, the gap between a well-resourced threat actor and an under-staffed SOC team may be widening faster than headcount projections account for. Something to bring up at the next budget meeting — politely.