Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
SSRF yields scope change (S:C) as the server reaches internal resources; PR:L reflects required authentication; C:L for potential internal data disclosure; no integrity or availability impact confirmed.
Primary rating from Vendor (VulDB).
CVSS VectorVendor: VulDB
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
A weakness has been identified in BerriAI litellm up to 1.82.2. Affected by this vulnerability is the function load_openapi_spec_async of the file litellm/proxy/_experimental/mcp_server/openapi_to_mcp_generator.py of the component MCP OpenAPI Spec Loader. This manipulation of the argument spec_path causes server-side request forgery. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure.
AnalysisAI
Server-side request forgery in LiteLLM's experimental MCP OpenAPI Spec Loader allows authenticated remote attackers to coerce the server into issuing arbitrary HTTP requests by supplying a malicious spec_path value to the load_openapi_spec_async function. Affected versions are LiteLLM 1.82.0 through 1.82.2 as confirmed by EUVD. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Authentication is required: the CVSS 4.0 vector specifies PR:L (low privilege), meaning the attacker must have at least a valid low-privilege account or API key on the LiteLLM instance. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The official CVSS 4.0 score is 2.1, which is very low, driven primarily by PR:L (low-privilege authentication required) and uniformly low impact metrics (VC:L/VI:L/VA:L with no subsequent-system impact: SC:N/SI:N/SA:N). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An authenticated attacker with low-privilege API access to a LiteLLM instance submits a crafted request to the MCP OpenAPI Spec Loader, supplying a `spec_path` value pointing to an internal cloud metadata endpoint such as `http://169.254.169.254/latest/meta-data/iam/security-credentials/`. The LiteLLM server fetches the URL and the response - potentially containing IAM credentials - is returned to or observable by the attacker. … |
| Remediation | No vendor-released patched version has been identified at time of analysis; the vendor was contacted early per the disclosure statement, but no fix version appears in the available references. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
SQL injection in LiteLLM proxy server versions 1.81.16 through 1.83.6 allows unauthenticated remote attackers to read an
Remote command execution in LiteLLM proxy server versions 1.74.2 through 1.83.6 allows any authenticated user to execute
BerriAI/litellm is vulnerable to Server-Side Template Injection (SSTI) via the `/completions` endpoint. Rated critical s
Remote code execution in BerriAI LiteLLM (all versions through 2026-04-08) enables authenticated attackers to execute ar
BerriAI's litellm, in its latest version, is vulnerable to arbitrary file deletion due to improper input validation on t
In berriai/litellm version v1.52.1, an issue in proxy_server.py causes the leakage of Langfuse API keys when an error oc
In berriai/litellm before version 1.44.12, the `litellm/litellm_core_utils/litellm_logging.py` file contains a vulnerabi
A Server-Side Request Forgery (SSRF) vulnerability exists in berriai/litellm version 1.38.10. Rated high severity (CVSS
An SQL Injection vulnerability exists in the berriai/litellm repository, specifically within the `/global/spend/logs` en
A code injection vulnerability exists in the berriai/litellm application, version 1.34.6, due to the use of unvalidated
berriai/litellm version 1.34.34 is vulnerable to improper access control in its team management functionality. Rated med
BerriAI/litellm version v1.35.8 contains a vulnerability where an attacker can achieve remote code execution. Rated crit
Same weakness CWE-918 – Server-Side Request Forgery (SSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38157
GHSA-c693-x898-5g4h