CVE-2026-12771 Overview
CVE-2026-12771 is an improper authorization vulnerability [CWE-266] in BerriAI litellm versions up to 1.82.2. The flaw resides in the Machine-to-Machine (M2M) JWT Handler component within litellm/proxy/auth/user_api_key_auth.py. An authenticated remote attacker can manipulate the authorization logic to gain access beyond their assigned privileges. The attack is network-based but carries high complexity, and the exploit code is publicly available through a GitHub Gist. The vendor was notified ahead of public disclosure.
Critical Impact
Authenticated attackers can bypass intended authorization controls in the litellm proxy, exposing LLM API routes and resources that should be restricted to higher-privileged identities.
Affected Products
- BerriAI litellm versions up to and including 1.82.2
- litellm/proxy/auth/user_api_key_auth.py authentication module
- Deployments using the M2M JWT Handler for service-to-service authentication
Discovery Timeline
- 2026-06-21 - CVE-2026-12771 published to NVD
- 2026-06-24 - Last updated in NVD database
Technical Details for CVE-2026-12771
Vulnerability Analysis
The vulnerability affects the M2M JWT Handler used by litellm to validate service-to-service authentication tokens. The handler in user_api_key_auth.py improperly evaluates authorization claims when processing JWT tokens issued for machine identities. As a result, a token holder can perform actions or access resources that exceed the privileges originally granted to that machine identity.
The exploit is publicly available, but the attack is classified as high complexity. Successful exploitation requires the attacker to already possess valid low-privileged credentials and to craft requests that exercise the flawed authorization path.
Root Cause
The root cause is improper handling of privilege assignment during JWT validation, mapped to [CWE-266] Incorrect Privilege Assignment. The handler relies on token claims without enforcing strict scope and role checks against the requested resource. This permits an entity to operate with privileges that should be reserved for a different identity class.
Attack Vector
The attack vector is network-based. An attacker with a valid M2M JWT submits requests to the litellm proxy endpoints protected by user_api_key_auth.py. By crafting requests that exploit the missing authorization checks, the attacker accesses LLM model routes, key management functions, or proxy administration endpoints that should be denied. Refer to the VulDB entry for CVE-2026-12771 and the public Proof-of-Concept Gist for technical specifics.
No verified exploit code is reproduced here. The vulnerability manifests within the JWT claim validation logic when the proxy resolves the calling identity to a set of permitted operations.
Detection Methods for CVE-2026-12771
Indicators of Compromise
- Requests to litellm proxy administrative or key-management endpoints originating from M2M service identities that have no business need for those routes
- Authentication events in user_api_key_auth.py logs showing JWT tokens accessing resources outside their declared scope
- Unexpected creation, modification, or enumeration of API keys, models, or team objects from service accounts
Detection Strategies
- Inspect litellm proxy access logs for JWT-authenticated requests that target endpoints inconsistent with the token's role or team assignment
- Correlate spikes in 200-response calls to privileged routes against the identity baseline for each M2M client
- Compare runtime authorization decisions against the principle of least privilege defined for each service identity
Monitoring Recommendations
- Forward litellm proxy authentication and audit logs to a centralized SIEM and alert on privilege-sensitive endpoints invoked by M2M identities
- Track JWT issuance and usage patterns to detect tokens being reused outside their intended service context
- Monitor the version of deployed litellm instances and flag any running 1.82.2 or earlier
How to Mitigate CVE-2026-12771
Immediate Actions Required
- Upgrade litellm to a version later than 1.82.2 once a fixed release is published by BerriAI
- Rotate all M2M JWT signing keys and reissue tokens with minimal, scope-bound claims
- Audit existing M2M identities and remove any that hold privileges beyond their operational requirement
Patch Information
No vendor advisory URL is listed in the available CVE references. Administrators should track the BerriAI litellm repository for a fixed release above version 1.82.2 and review the VulDB entry for updates. Until a patch is confirmed, treat all deployments at or below 1.82.2 as vulnerable.
Workarounds
- Restrict network access to the litellm proxy so that only trusted clients can reach the M2M authentication endpoints
- Enforce additional authorization at an upstream API gateway, validating JWT scopes and target routes before requests reach litellm
- Disable the M2M JWT Handler path where not required and rely on standard API key authentication with strictly scoped keys
# Configuration example: restrict proxy exposure and require gateway-enforced scopes
# 1. Bind litellm proxy to localhost only and front it with an authenticating gateway
litellm --host 127.0.0.1 --port 4000 --config /etc/litellm/config.yaml
# 2. In the gateway, enforce JWT scope and audience checks before forwarding
# Reject tokens whose 'scope' claim does not match the requested path
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

