Impact
A weakness in BerriAI litellm up to version 1.59.8 enables callers to bypass the authentication logic in the UserAPIKeyAuth routine, allowing an unauthenticated attacker to send requests to the MCP Proxy API without possessing a valid API key. The flaw is rooted in authentication failure (CWE‑287) and a weak key verification mechanism (CWE‑303).
Affected Systems
All instances of BerriAI litellm that include the MCP Proxy component and are running version 1.59.8 or earlier may be affected. The vulnerability resides in the file litellm/proxy/_experimental/mcp_server/auth/user_api_key_auth_mcp.py and thus any environment where that module is active without the fix is exposed.
Risk and Exploitability
The flaw carries a CVSS score of 6.9, indicating a moderate to high impact. The EPSS score is below 1%, suggesting a very low but non-zero probability of exploitation, yet the publicly available exploit raises awareness and potential abuse. The vulnerability is not listed in the CISA KEV catalog, but its remote nature means an attacker can reach the vulnerable endpoint over the internet, craft requests without authentic credentials, and gain unauthorized access to the MCP Proxy service.
OpenCVE Enrichment