CVE-2026-12797 - Vulnerability Details

Description

A security flaw has been discovered in BerriAI litellm up to 1.82.5. Affected is the function async_pre_call_hook of the file enterprise/enterprise_hooks/banned_keywords.py of the component Completions Interface. The manipulation of the argument prompt results in incorrect authorization. The attack may be performed from remote. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure.

Published: 2026-06-21

Score: 5.3 Medium

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The flaw resides in the async_pre_call_hook function of the banned_keywords module inside the Completions Interface component of BerriAI litellm. By manipulating the prompt argument, an attacker can cause the authorization logic to evaluate incorrectly, potentially granting unauthorized access to the completion service. The description notes that the attack may be performed from remote, and a public exploit has already been released, indicating that the weakness is exploitable through standard network communication with the service. The incorrect authorization could allow an attacker to use the interface beyond intended permissions, affecting data confidentiality and integrity of the supplied content.

Affected Systems

BerriAI:litellm up to and including version 1.82.5. The vulnerability affects all deployments using the enterprise/enterprise_hooks/banned_keywords.py module in these releases.

Risk and Exploitability

The CVSS score of 5.3 reflects a moderate severity for denial or partial privilege escalation. EPSS data is not available, and the vulnerability is not listed in the CISA KEV catalog, suggesting no confirmed widespread exploitation yet. However, the public release of the exploit and the ability to conduct the attack from remote imply that the risk is non‑negligible, especially for environments that rely on the litellm Completions Interface for production workloads.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

BerriAI

litellm

affected

Version	Status	Constraints
`1.82.0`	affected	—
`1.82.1`	affected	—
`1.82.2`	affected	—
`1.82.3`	affected	—
`1.82.4`	affected	—
`1.82.5`	affected	—

No data.

Vendor Product Confidence Versions

Berriai

Litellm

95%

Version	Status	Scheme	Platform
`1.82.0`	affected	semver	—
`1.82.1`	affected	semver	—
`1.82.2`	affected	semver	—
`1.82.3`	affected	semver	—
`1.82.4`	affected	semver	—
`1.82.5`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade BerriAI litellm to a version newer than 1.82.5 once the vendor releases a fix.
If an immediate upgrade is not possible, disable or bypass the async_pre_call_hook in the banned_keywords module to remove the authorization pathway vulnerable to manipulation.
Audit and harden prompt handling by enforcing strict input validation or tokenization to prevent prompt‐based exploits.

Generated by OpenCVE AI on June 21, 2026 at 16:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://gist.github.com/YLChen-007/078179224f07cc4e39e4f141a18c817a
https://vuldb.com/cve/CVE-2026-12797
https://vuldb.com/submit/811288
https://vuldb.com/vuln/372559
https://vuldb.com/vuln/372559/cti

History

Sun, 21 Jun 2026 18:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Berriai Berriai litellm
Vendors & Products		Berriai Berriai litellm

Sun, 21 Jun 2026 15:00:00 +0000

Type	Values Removed	Values Added
Description		A security flaw has been discovered in BerriAI litellm up to 1.82.5. Affected is the function async_pre_call_hook of the file enterprise/enterprise_hooks/banned_keywords.py of the component Completions Interface. The manipulation of the argument prompt results in incorrect authorization. The attack may be performed from remote. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure.
Title		BerriAI litellm Completions banned_keywords.py async_pre_call_hook authorization
First Time appeared		Litellm Litellm litellm
Weaknesses		CWE-285 CWE-863
CPEs		cpe:2.3:a:litellm:litellm::::::::
Vendors & Products		Litellm Litellm litellm
References		https://gist.github.com/YLChen-007/078179224f07cc4e39e4f141a18c817a https://vuldb.com/cve/CVE-2026-12797 https://vuldb.com/submit/811288 https://vuldb.com/vuln/372559 https://vuldb.com/vuln/372559/cti
Metrics		cvssV2_0 `{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}` cvssV3_0 `{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV3_1 `{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV4_0 `{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

Berriai Litellm

Litellm Litellm

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-06-21T09:15:08.592Z

Updated: 2026-06-21T09:15:08.592Z

Reserved: 2026-06-20T17:12:18.055Z

Link: CVE-2026-12797

Vulnrichment

No data.

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-21T18:15:04Z

Weaknesses

CWE-285
Improper Authorization
CWE-863
Incorrect Authorization

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object