Description
A weakness has been identified in BerriAI litellm up to 1.59.8. Affected is the function UserAPIKeyAuth of the file litellm/proxy/_experimental/mcp_server/auth/user_api_key_auth_mcp.py of the component MCP Proxy. Executing a manipulation can lead to improper authentication. The attack may be launched remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure.
Published: 2026-06-21
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A weakness in BerriAI litellm up to version 1.59.8 enables callers to bypass the authentication logic in the UserAPIKeyAuth routine, allowing an unauthenticated attacker to send requests to the MCP Proxy API without possessing a valid API key. The flaw is rooted in authentication failure (CWE‑287) and a weak key verification mechanism (CWE‑303).

Affected Systems

All instances of BerriAI litellm that include the MCP Proxy component and are running version 1.59.8 or earlier may be affected. The vulnerability resides in the file litellm/proxy/_experimental/mcp_server/auth/user_api_key_auth_mcp.py and thus any environment where that module is active without the fix is exposed.

Risk and Exploitability

The flaw carries a CVSS score of 6.9, indicating a moderate to high impact. The EPSS score is below 1%, suggesting a very low but non-zero probability of exploitation, yet the publicly available exploit raises awareness and potential abuse. The vulnerability is not listed in the CISA KEV catalog, but its remote nature means an attacker can reach the vulnerable endpoint over the internet, craft requests without authentic credentials, and gain unauthorized access to the MCP Proxy service.

Generated by OpenCVE AI on June 26, 2026 at 14:30 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Contact BerriAI to confirm the availability of a patch or update for litellm versions 1.59.8 and earlier
  • Restrict inbound traffic to the MCP Proxy endpoint, limiting access to trusted networks or applying firewall rules to block exposure to untrusted sources
  • Implement an additional layer of API‑key validation within your infrastructure, verifying that incoming keys exist in your authorized key store and have not expired before forwarding requests to the proxy
  • Maintain an inventory of all litellm deployments and apply ongoing monitoring to detect any abuse of the MCP Proxy endpoint

Generated by OpenCVE AI on June 26, 2026 at 14:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-303
References
Metrics threat_severity

None

threat_severity

Important


Mon, 22 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Sun, 21 Jun 2026 07:45:00 +0000

Type Values Removed Values Added
Description A weakness has been identified in BerriAI litellm up to 1.59.8. Affected is the function UserAPIKeyAuth of the file litellm/proxy/_experimental/mcp_server/auth/user_api_key_auth_mcp.py of the component MCP Proxy. Executing a manipulation can lead to improper authentication. The attack may be launched remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure.
Title BerriAI litellm MCP Proxy user_api_key_auth_mcp.py UserAPIKeyAuth improper authentication
First Time appeared Litellm
Litellm litellm
Weaknesses CWE-287
CPEs cpe:2.3:a:litellm:litellm:*:*:*:*:*:*:*:*
Vendors & Products Litellm
Litellm litellm
References
Metrics cvssV2_0

{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 7.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}


cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-06-30T12:06:53.325Z

Reserved: 2026-06-20T09:26:26.143Z

Link: CVE-2026-12773

cve-icon Vulnrichment

Updated: 2026-06-30T02:46:35.096Z

cve-icon NVD

No data.

cve-icon Redhat

Severity : Important

Publid Date: 2026-06-21T03:15:08Z

Links: CVE-2026-12773 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T14:45:06Z

Weaknesses
  • CWE-287

    Improper Authentication

  • CWE-303

    Incorrect Implementation of Authentication Algorithm