CVE-2026-12770 Overview
CVE-2026-12770 is an improper authorization vulnerability [CWE-266] affecting BerriAI litellm versions up to 1.63.1. The flaw resides in an unspecified function within litellm/proxy/management_endpoints/key_management_endpoints.py, part of the Admin Key Handler component. An authenticated attacker can manipulate the affected logic remotely to perform actions outside the scope of their assigned privileges. The exploit has been publicly disclosed, increasing the likelihood of opportunistic use against unpatched deployments. The maintainers have addressed the issue in pull request 23781.
Critical Impact
Remote authenticated attackers can abuse the litellm Admin Key Handler to perform unauthorized key management operations, undermining tenant isolation in LLM proxy deployments.
Affected Products
- BerriAI litellm versions up to and including 1.63.1
- Deployments exposing the litellm/proxy/management_endpoints/key_management_endpoints.py endpoints
- Self-hosted litellm proxy instances using the Admin Key Handler
Discovery Timeline
- 2026-06-21 - CVE-2026-12770 published to NVD
- 2026-06-24 - Last updated in NVD database
Technical Details for CVE-2026-12770
Vulnerability Analysis
The vulnerability stems from improper authorization checks within the litellm proxy's key management endpoints. The Admin Key Handler exposes operations that should be restricted to administrative principals. The affected code path fails to validate the calling identity's privilege level before executing sensitive key management operations. An attacker holding low-privilege credentials (PR:L) can invoke administrative functionality reserved for higher-privileged accounts.
litellm is a widely deployed proxy that brokers access to large language model providers and manages API keys for multi-tenant environments. A weakness in its authorization logic can break the trust boundary between tenants and operators of the proxy.
Root Cause
The root cause maps to [CWE-266] Incorrect Privilege Assignment. The function in key_management_endpoints.py does not adequately enforce a privilege check before granting access to administrative key handling routines. As a result, requests authenticated with a non-admin key can reach logic that assumes admin context.
Attack Vector
The attack is initiated remotely over the network. The attacker authenticates with low-privilege credentials to the litellm proxy and issues crafted requests against the affected key management endpoints. No user interaction is required. Successful exploitation enables limited impact on the integrity and availability of key state managed by the proxy. A public proof-of-concept is available in a GitHub Gist PoC, and additional analysis is published in the VulDB CVE-2026-12770 advisory.
No verified exploitation code is reproduced here. Refer to the linked references for technical details.
Detection Methods for CVE-2026-12770
Indicators of Compromise
- Unexpected HTTP requests from non-admin API keys to /key/* management routes on the litellm proxy
- Creation, modification, or deletion of API keys not initiated by an administrative user
- Audit log entries showing key management operations performed by principals lacking the admin role
- Spikes in 2xx responses from key_management_endpoints.py correlated with low-privilege session tokens
Detection Strategies
- Enable verbose request logging on the litellm proxy and review calls to key management endpoints by caller identity and role
- Compare the caller's resolved role against the operation invoked to identify privilege mismatches
- Track the litellm version in inventory and flag any host running <= 1.63.1
Monitoring Recommendations
- Forward litellm proxy access and audit logs to a centralized SIEM and alert on key management activity by non-admin principals
- Baseline normal key lifecycle operations per tenant and alert on deviations
- Monitor egress from the litellm host for unexpected access to upstream LLM providers using newly created keys
How to Mitigate CVE-2026-12770
Immediate Actions Required
- Upgrade litellm to the version containing the fix from GitHub Pull Request #23781
- Rotate all API keys issued by affected litellm proxy instances, prioritizing keys with elevated scopes
- Review historical audit logs for unauthorized key management operations performed by non-admin users
Patch Information
The maintainers merged the fix referenced as patch 23781. Apply the upstream patch by upgrading to a version that includes GitHub Pull Request #23781. Track project releases via the GitHub Project Repository.
Workarounds
- Restrict network access to the litellm proxy management endpoints using firewall rules or a reverse proxy allowlist
- Disable or limit issuance of non-admin keys until patching is complete
- Place the litellm management API behind an authenticating gateway that enforces role-based access control independent of the application
# Example: restrict /key/* management routes to an internal admin CIDR using nginx
location /key/ {
allow 10.0.0.0/24; # admin management subnet
deny all;
proxy_pass http://litellm_upstream;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

