Skip to main content

LiteLLM CVE-2026-12774

| EUVDEUVD-2026-38140 LOW
Server-Side Request Forgery (SSRF) (CWE-918)
2026-06-21 VulDB GHSA-h9c7-cfj6-h8j6
2.1
CVSS 4.0 · Vendor: VulDB

Severity by source

Vendor (VulDB) PRIMARY
2.1 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
6.4 MEDIUM

Network SSRF requiring low-privilege auth (PR:L); scope changes as server contacts internal systems; limited C/I from internal probing, no meaningful availability impact.

3.1 AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:L/SI:N/SA:N

Primary rating from Vendor (VulDB).

CVSS VectorVendor: VulDB

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

3
Analysis Generated
Jun 22, 2026 - 06:30 vuln.today
Severity Changed
Jun 21, 2026 - 04:22 NVD
MEDIUM LOW
CVSS changed
Jun 21, 2026 - 04:22 NVD
5.3 (MEDIUM) 2.1 (LOW)

DescriptionCVE.org

A security vulnerability has been detected in BerriAI litellm up to 1.82.2. Affected by this vulnerability is the function _execute_with_mcp_client of the file litellm/proxy/_experimental/mcp_server/rest_endpoints.py of the component MCP Server Connection Testing. The manipulation leads to server-side request forgery. Remote exploitation of the attack is possible. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure.

AnalysisAI

Server-side request forgery in BerriAI LiteLLM versions up to 1.82.2 allows authenticated remote attackers to induce the proxy server to make arbitrary outbound HTTP requests by manipulating the MCP (Model Context Protocol) Server Connection Testing endpoint. The vulnerable function _execute_with_mcp_client in the experimental MCP server component fails to validate or restrict user-supplied connection targets, enabling internal network probing, potential access to cloud metadata services, and circumvention of network segmentation controls. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain low-privilege LiteLLM API credentials
Delivery
Send crafted MCP test request with internal target URL
Exploit
LiteLLM proxy issues server-side HTTP request to internal destination
Execution
Receive response revealing internal service data or cloud metadata
Impact
Leverage metadata to escalate privileges or pivot laterally

Vulnerability AssessmentAI

Exploitation Exploitation requires the attacker to hold a valid authenticated session or API key with at least low-privilege access to the LiteLLM proxy instance (PR:L per CVSS 4.0 vector). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Real-world risk is moderate-to-significant despite the reported CVSS 4.0 score of 2.1, which is depressed by the E:P threat metric (proof-of-concept maturity) and low individual CIA impact ratings. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with a valid low-privilege API key for a shared LiteLLM proxy deployment sends a crafted POST request to the MCP server connection testing endpoint, supplying an internal URL such as `http://169.254.169.254/latest/meta-data/` or an internal admin API address as the MCP server target. The LiteLLM proxy issues an HTTP request to the attacker-specified destination and may return or log the response, allowing the attacker to enumerate cloud instance metadata, harvest IAM credentials, or map internal services. …
Remediation No vendor-released patched version was independently confirmed at time of analysis - the affected version range tops out at 1.82.2 with no fix version cited in VulDB, EUVD, or NVD references. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-42208 CRITICAL POC
9.3 May 08

SQL injection in LiteLLM proxy server versions 1.81.16 through 1.83.6 allows unauthenticated remote attackers to read an

CVE-2026-42271 HIGH POC
8.7 May 08

Remote command execution in LiteLLM proxy server versions 1.74.2 through 1.83.6 allows any authenticated user to execute

CVE-2024-2952 CRITICAL POC
9.8 Apr 10

BerriAI/litellm is vulnerable to Server-Side Template Injection (SSTI) via the `/completions` endpoint. Rated critical s

CVE-2026-40217 HIGH POC
8.8 Apr 10

Remote code execution in BerriAI LiteLLM (all versions through 2026-04-08) enables authenticated attackers to execute ar

CVE-2024-4888 HIGH POC
8.1 Jun 06

BerriAI's litellm, in its latest version, is vulnerable to arbitrary file deletion due to improper input validation on t

CVE-2025-0330 HIGH POC
7.5 Mar 20

In berriai/litellm version v1.52.1, an issue in proxy_server.py causes the leakage of Langfuse API keys when an error oc

CVE-2024-9606 HIGH POC
7.5 Mar 20

In berriai/litellm before version 1.44.12, the `litellm/litellm_core_utils/litellm_logging.py` file contains a vulnerabi

CVE-2024-6587 HIGH POC
7.5 Sep 13

A Server-Side Request Forgery (SSRF) vulnerability exists in berriai/litellm version 1.38.10. Rated high severity (CVSS

CVE-2024-5225 HIGH POC
7.2 Jun 06

An SQL Injection vulnerability exists in the berriai/litellm repository, specifically within the `/global/spend/logs` en

CVE-2024-4889 HIGH POC
7.2 Jun 06

A code injection vulnerability exists in the berriai/litellm application, version 1.34.6, due to the use of unvalidated

CVE-2024-5710 MEDIUM POC
6.5 Jun 27

berriai/litellm version 1.34.34 is vulnerable to improper access control in its team management functionality. Rated med

CVE-2024-5751 CRITICAL
9.8 Jun 27

BerriAI/litellm version v1.35.8 contains a vulnerability where an attacker can achieve remote code execution. Rated crit

Share

CVE-2026-12774 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy