CVE-2026-12774 - Vulnerability Details

Description

A security vulnerability has been detected in BerriAI litellm up to 1.82.2. Affected by this vulnerability is the function _execute_with_mcp_client of the file litellm/proxy/_experimental/mcp_server/rest_endpoints.py of the component MCP Server Connection Testing. The manipulation leads to server-side request forgery. Remote exploitation of the attack is possible. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure.

Published: 2026-06-21

Score: 5.3 Medium

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability resides in the _execute_with_mcp_client function in litellm’s MCP Server Connection Testing component. It allows an attacker to manipulate the request so that the server performs arbitrary outbound HTTP requests. This Server‑Side Request Forgery can expose internal network resources, retrieve sensitive data, or be used to pivot to further attacks. The weakness is identified as CWE‑918, reflecting improper validation of user‑controlled data used to construct web requests.

Affected Systems

BerriAI:litellm versions up to and including 1.82.2 are susceptible. No versions above 1.82.2 are listed as affected. The vulnerability is confined to the rest_endpoints.py file within the MCP Server Connection Testing module.

Risk and Exploitability

The CVSS base score is 5.3, indicating a moderate impact. The EPSS score is not available, so the precise exploitation probability cannot be quantified. The vulnerability is not listed in the CISA KEV catalog. Remote exploitation is possible because the flaw is triggered by a standard HTTP request to the server. Publicly disclosed exploit code exists, so an attacker could readily deploy the attack against any exposed instance of the vulnerable package.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

BerriAI

litellm

affected

Version	Status	Constraints
`1.82.0`	affected	—
`1.82.1`	affected	—
`1.82.2`	affected	—

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade BerriAI:litellm to the latest release that removes the vulnerable _execute_with_mcp_client function; the fix is available in all patches newer than 1.82.2.
If an immediate upgrade is not possible, limit the server’s outbound HTTP connectivity by placing the application behind a strict egress control or firewall whitelist that only permits the addresses it legitimately needs to contact.
Disable or remove the MCP Server Connection Testing endpoint from the production environment if the functionality is not required, ensuring that no endpoint is exposed that can be used for SSRF.

Generated by OpenCVE AI on June 21, 2026 at 09:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://gist.github.com/YLChen-007/256c8ff0750e298f89b6b287c90c2981
https://vuldb.com/cve/CVE-2026-12774
https://vuldb.com/submit/811285
https://vuldb.com/vuln/372516
https://vuldb.com/vuln/372516/cti

History

Sun, 21 Jun 2026 07:45:00 +0000

Type	Values Removed	Values Added
Description		A security vulnerability has been detected in BerriAI litellm up to 1.82.2. Affected by this vulnerability is the function _execute_with_mcp_client of the file litellm/proxy/_experimental/mcp_server/rest_endpoints.py of the component MCP Server Connection Testing. The manipulation leads to server-side request forgery. Remote exploitation of the attack is possible. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure.
Title		BerriAI litellm MCP Server Connection Testing rest_endpoints.py _execute_with_mcp_client server-side request forgery
First Time appeared		Litellm Litellm litellm
Weaknesses		CWE-918
CPEs		cpe:2.3:a:litellm:litellm::::::::
Vendors & Products		Litellm Litellm litellm
References		https://gist.github.com/YLChen-007/256c8ff0750e298f89b6b287c90c2981 https://vuldb.com/cve/CVE-2026-12774 https://vuldb.com/submit/811285 https://vuldb.com/vuln/372516 https://vuldb.com/vuln/372516/cti
Metrics		cvssV2_0 `{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}` cvssV3_0 `{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV3_1 `{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV4_0 `{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

Litellm Litellm

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-06-21T03:45:06.835Z

Updated: 2026-06-21T03:45:06.835Z

Reserved: 2026-06-20T09:26:29.098Z

Link: CVE-2026-12774

Vulnrichment

No data.

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-21T09:30:09Z

Weaknesses

CWE-918
Server-Side Request Forgery (SSRF)

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object