CVE-2026-12796
published 2026-06-21CVE-2026-12796: A vulnerability was identified in BerriAI litellm up to 1.82.2. This impacts the function get_redirect_response_from_openid of the file…
PriorityP345medium6.3CVSS 3.1
AVNACLPRLUINSUCLILAL
EPSS
0.36%
27.7th percentile
A vulnerability was identified in BerriAI litellm up to 1.82.2. This impacts the function get_redirect_response_from_openid of the file litellm/proxy/management_endpoints/ui_sso.py of the component SSO Authentication Flow. The manipulation leads to session expiration. The attack is possible to be carried out remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure.
Affected
10 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ansible-automation-platform-26 | lightspeed-chatbot-rhel9 | — | — |
| ansible-automation-platform-27 | lightspeed-chatbot-rhel9 | — | — |
| berriai | litellm | — | — |
| berriai | litellm | — | — |
| berriai | litellm | — | — |
| exploit-intelligence-tech-preview | vulnerability-analysis-rhel9 | — | — |
| litellm | litellm | <= 1.82.2 | — |
| rhoai | odh-llama-stack-core-rhel9 | — | — |
| rhoai | odh-mlflow-rhel9 | — | — |
| rhoai | odh-trustyai-garak-lls-provider-dsp-rhel9 | — | — |
CVSS provenance
nvdv3.16.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
nvdv4.02.1LOWCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
vendor_redhat6.3MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
litellm: litellm: Session expiration vulnerability in SSO Authentication Flow
vendor_redhat·2026-06-21·CVSS 6.3
CVE-2026-12796 [MEDIUM] CWE-613 litellm: litellm: Session expiration vulnerability in SSO Authentication Flow
litellm: litellm: Session expiration vulnerability in SSO Authentication Flow
A vulnerability was identified in BerriAI litellm up to 1.82.2. This impacts the function get_redirect_response_from_openid of the file litellm/proxy/management_endpoints/ui_sso.py of the component SSO Authentication Flow. The manipulation leads to session expiration. The attack is possible to be carried out remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure.
A flaw was found in BerriAI litellm. A remote attacker could exploit a vulnerability in the `get_redirect_response_from_openid` function within the SSO Authentication Flow component. This manipulation leads to session expiration, potentially causing a denial of service for authenticated users
GHSA
A vulnerability was identified in BerriAI litellm up to 1.82.2.
ghsa_unreviewed·2026-06-21
CVE-2026-12796 [LOW] CWE-613 A vulnerability was identified in BerriAI litellm up to 1.82.2.
A vulnerability was identified in BerriAI litellm up to 1.82.2. This impacts the function get_redirect_response_from_openid of the file litellm/proxy/management_endpoints/ui_sso.py of the component SSO Authentication Flow. The manipulation leads to session expiration. The attack is possible to be carried out remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure.
VulDB
BerriAI litellm up to 1.82.2 SSO Authentication Flow ui_sso.py get_redirect_response_from_openid session expiration
vuldb·2026-06-20
CVE-2026-12796 [CRITICAL] BerriAI litellm up to 1.82.2 SSO Authentication Flow ui_sso.py get_redirect_response_from_openid session expiration
A vulnerability has been found in BerriAI litellm up to 1.82.2 and classified as critical. This impacts the function get_redirect_response_from_openid of the file litellm/proxy/management_endpoints/ui_sso.py of the component SSO Authentication Flow. The manipulation leads to session expiration.
This vulnerability is uniquely identified as CVE-2026-12796. The attack is possible to be carried out remotely. Moreover, an exploit is present.
The vendor was contacted early about this disclosure.
No detection rules found.
No public exploits indexed.
2026-06-21
Published