CVE-2026-12773
published 2026-06-21CVE-2026-12773: A weakness has been identified in BerriAI litellm up to 1.59.8. Affected is the function UserAPIKeyAuth of the file…
PriorityP262critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.61%
44.8th percentile
A weakness has been identified in BerriAI litellm up to 1.59.8. Affected is the function UserAPIKeyAuth of the file litellm/proxy/_experimental/mcp_server/auth/user_api_key_auth_mcp.py of the component MCP Proxy. Executing a manipulation can lead to improper authentication. The attack may be launched remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure.
Affected
11 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| berriai | litellm | — | — |
| berriai | litellm | — | — |
| berriai | litellm | — | — |
| berriai | litellm | — | — |
| berriai | litellm | — | — |
| berriai | litellm | — | — |
| berriai | litellm | — | — |
| berriai | litellm | — | — |
| berriai | litellm | — | — |
| exploit-intelligence-tech-preview | vulnerability-analysis-rhel9 | — | — |
| litellm | litellm | < 1.59.9 | 1.59.9 |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for requests reaching MCP proxy endpoints that result in 401/403 errors from API key validation but still proceed to backend MCP servers — this indicates an authentication bypass attempt exploiting the mishandled error flow in UserAPIKeyAuth. ↗
- →Flag any unauthenticated or anomalous access to the LiteLLM MCP proxy endpoints, particularly where backend MCP servers are configured with allow_all_keys: true. ↗
- →Audit the file litellm/proxy/_experimental/mcp_server/auth/user_api_key_auth_mcp.py for the UserAPIKeyAuth function as the specific locus of the authentication bypass vulnerability. ↗
- ·Backend MCP servers configured with allow_all_keys: true are directly exploitable via this authentication bypass; this configuration should be avoided as a workaround until patching. ↗
- ·The vulnerability affects litellm versions up to and including 1.59.8 per NVD, but Red Hat's statement extends the affected range to versions prior to 1.81.16 as shipped in select Red Hat products. ↗
- ·A public exploit is available for this vulnerability, raising the urgency of detection and mitigation. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.05.5MEDIUMCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vendor_redhat9.8CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
A weakness has been identified in BerriAI litellm up to 1.59.8.
ghsa_unreviewed·2026-06-21
CVE-2026-12773 [MEDIUM] CWE-287 A weakness has been identified in BerriAI litellm up to 1.59.8.
A weakness has been identified in BerriAI litellm up to 1.59.8. Affected is the function UserAPIKeyAuth of the file litellm/proxy/_experimental/mcp_server/auth/user_api_key_auth_mcp.py of the component MCP Proxy. Executing a manipulation can lead to improper authentication. The attack may be launched remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure.
VulDB
BerriAI litellm up to 1.59.8 MCP Proxy user_api_key_auth_mcp.py UserAPIKeyAuth improper authentication
vuldb·2026-06-20
CVE-2026-12773 [CRITICAL] BerriAI litellm up to 1.59.8 MCP Proxy user_api_key_auth_mcp.py UserAPIKeyAuth improper authentication
A vulnerability, which was classified as critical, was found in BerriAI litellm up to 1.59.8. Affected is the function UserAPIKeyAuth of the file litellm/proxy/_experimental/mcp_server/auth/user_api_key_auth_mcp.py of the component MCP Proxy. Executing a manipulation can lead to improper authentication.
The identification of this vulnerability is CVE-2026-12773. The attack may be launched remotely. Furthermore, there is an exploit available.
The vendor was contacted early about this disclosure.
Red Hat
litellm: BerriAI litellm: Improper authentication in MCP Proxy via UserAPIKeyAuth function
vendor_redhat·2026-06-21·CVSS 9.8
CVE-2026-12773 [CRITICAL] CWE-303 litellm: BerriAI litellm: Improper authentication in MCP Proxy via UserAPIKeyAuth function
litellm: BerriAI litellm: Improper authentication in MCP Proxy via UserAPIKeyAuth function
A weakness has been identified in BerriAI litellm up to 1.59.8. Affected is the function UserAPIKeyAuth of the file litellm/proxy/_experimental/mcp_server/auth/user_api_key_auth_mcp.py of the component MCP Proxy. Executing a manipulation can lead to improper authentication. The attack may be launched remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure.
A flaw was found in BerriAI litellm, within its MCP Proxy component. A remote attacker could exploit an improper authentication vulnerability in the UserAPIKeyAuth function. This could allow unauthorized access, potentially compromising the confidentiality, in
No detection rules found.
No public exploits indexed.
https://gist.github.com/YLChen-007/3cfaad10a69d7a15e4d4d458cb53309ehttps://vuldb.com/cve/CVE-2026-12773https://vuldb.com/submit/811282https://vuldb.com/vuln/372515https://vuldb.com/vuln/372515/ctihttps://access.redhat.com/security/cve/CVE-2026-12773https://bugzilla.redhat.com/show_bug.cgi?id=2491112https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-12773.jsonhttps://vuldb.com/submit/811282
2026-06-21
Published