Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-accessible auth bypass requiring no privileges or interaction; S:U and uniform Low impact reflect constrained MCP proxy access without scope change.
Primary rating from Vendor (VulDB).
CVSS VectorVendor: VulDB
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
A weakness has been identified in BerriAI litellm up to 1.59.8. Affected is the function UserAPIKeyAuth of the file litellm/proxy/_experimental/mcp_server/auth/user_api_key_auth_mcp.py of the component MCP Proxy. Executing a manipulation can lead to improper authentication. The attack may be launched remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure.
AnalysisAI
Authentication bypass in BerriAI LiteLLM versions 1.59.0 through 1.59.8 allows unauthenticated remote attackers to circumvent the UserAPIKeyAuth function within the experimental MCP Proxy server component, gaining unauthorized access to protected LLM proxy functionality without valid credentials. A public proof-of-concept exploit is confirmed available via GitHub gist (YLChen-007), materially lowering the bar for exploitation. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The experimental MCP server component (`litellm/proxy/_experimental/mcp_server/`) must be enabled and the proxy endpoint must be reachable over the network from the attacker. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N) positions this as a network-exploitable, unauthenticated, low-complexity flaw requiring no user interaction and no attack prerequisites - the most dangerous combination from an accessibility standpoint. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker identifies a LiteLLM instance with the experimental MCP Proxy server enabled and network-accessible, then uses the publicly available proof-of-concept exploit (GitHub gist by YLChen-007) to send a crafted request that bypasses the UserAPIKeyAuth validation function without supplying valid credentials. Upon successful bypass, the attacker gains proxy-level access and can issue LLM API calls billed to the victim's configured provider accounts, enumerate or extract backend API keys stored in the LiteLLM configuration, or manipulate model routing to exfiltrate sensitive prompt data. |
| Remediation | No vendor-released patch version has been independently confirmed from the available references at time of analysis; fix status should be verified directly against the BerriAI LiteLLM upstream repository and the NVD advisory at https://nvd.nist.gov/vuln/detail/CVE-2026-12773. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
SQL injection in LiteLLM proxy server versions 1.81.16 through 1.83.6 allows unauthenticated remote attackers to read an
Remote command execution in LiteLLM proxy server versions 1.74.2 through 1.83.6 allows any authenticated user to execute
BerriAI/litellm is vulnerable to Server-Side Template Injection (SSTI) via the `/completions` endpoint. Rated critical s
Remote code execution in BerriAI LiteLLM (all versions through 2026-04-08) enables authenticated attackers to execute ar
BerriAI's litellm, in its latest version, is vulnerable to arbitrary file deletion due to improper input validation on t
In berriai/litellm version v1.52.1, an issue in proxy_server.py causes the leakage of Langfuse API keys when an error oc
In berriai/litellm before version 1.44.12, the `litellm/litellm_core_utils/litellm_logging.py` file contains a vulnerabi
A Server-Side Request Forgery (SSRF) vulnerability exists in berriai/litellm version 1.38.10. Rated high severity (CVSS
An SQL Injection vulnerability exists in the berriai/litellm repository, specifically within the `/global/spend/logs` en
A code injection vulnerability exists in the berriai/litellm application, version 1.34.6, due to the use of unvalidated
berriai/litellm version 1.34.34 is vulnerable to improper access control in its team management functionality. Rated med
BerriAI/litellm version v1.35.8 contains a vulnerability where an attacker can achieve remote code execution. Rated crit
Same weakness CWE-287 – Improper Authentication
View allSame technique Authentication Bypass
View allVendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38139
GHSA-4jcj-7x88-m979