cbcvebase.
CVE-2026-12773
published 2026-06-21

CVE-2026-12773: A weakness has been identified in BerriAI litellm up to 1.59.8. Affected is the function UserAPIKeyAuth of the file…

PriorityP262critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.61%
44.8th percentile
A weakness has been identified in BerriAI litellm up to 1.59.8. Affected is the function UserAPIKeyAuth of the file litellm/proxy/_experimental/mcp_server/auth/user_api_key_auth_mcp.py of the component MCP Proxy. Executing a manipulation can lead to improper authentication. The attack may be launched remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure.

Affected

11 ranges
VendorProductVersion rangeFixed in
berriailitellm
berriailitellm
berriailitellm
berriailitellm
berriailitellm
berriailitellm
berriailitellm
berriailitellm
berriailitellm
exploit-intelligence-tech-previewvulnerability-analysis-rhel9
litellmlitellm< 1.59.91.59.9

Detection & IOCsextracted from sources · hover to see the quote

  • Monitor for requests reaching MCP proxy endpoints that result in 401/403 errors from API key validation but still proceed to backend MCP servers — this indicates an authentication bypass attempt exploiting the mishandled error flow in UserAPIKeyAuth.
  • Flag any unauthenticated or anomalous access to the LiteLLM MCP proxy endpoints, particularly where backend MCP servers are configured with allow_all_keys: true.
  • Audit the file litellm/proxy/_experimental/mcp_server/auth/user_api_key_auth_mcp.py for the UserAPIKeyAuth function as the specific locus of the authentication bypass vulnerability.
  • ·Backend MCP servers configured with allow_all_keys: true are directly exploitable via this authentication bypass; this configuration should be avoided as a workaround until patching.
  • ·The vulnerability affects litellm versions up to and including 1.59.8 per NVD, but Red Hat's statement extends the affected range to versions prior to 1.81.16 as shipped in select Red Hat products.
  • ·A public exploit is available for this vulnerability, raising the urgency of detection and mitigation.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.05.5MEDIUMCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vendor_redhat9.8CRITICAL
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.