Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-12771

CVE-2026-12771: Litellm Auth Bypass Vulnerability

CVE-2026-12771 is an authentication bypass flaw in BerriAI Litellm up to version 1.82.2 affecting the M2M JWT Handler. This article covers the technical details, affected versions, security impact, and mitigation.

Published:

CVE-2026-12771 Overview

CVE-2026-12771 is an improper authorization vulnerability [CWE-266] in BerriAI litellm versions up to 1.82.2. The flaw resides in the Machine-to-Machine (M2M) JWT Handler component within litellm/proxy/auth/user_api_key_auth.py. An authenticated remote attacker can manipulate the authorization logic to gain access beyond their assigned privileges. The attack is network-based but carries high complexity, and the exploit code is publicly available through a GitHub Gist. The vendor was notified ahead of public disclosure.

Critical Impact

Authenticated attackers can bypass intended authorization controls in the litellm proxy, exposing LLM API routes and resources that should be restricted to higher-privileged identities.

Affected Products

  • BerriAI litellm versions up to and including 1.82.2
  • litellm/proxy/auth/user_api_key_auth.py authentication module
  • Deployments using the M2M JWT Handler for service-to-service authentication

Discovery Timeline

  • 2026-06-21 - CVE-2026-12771 published to NVD
  • 2026-06-24 - Last updated in NVD database

Technical Details for CVE-2026-12771

Vulnerability Analysis

The vulnerability affects the M2M JWT Handler used by litellm to validate service-to-service authentication tokens. The handler in user_api_key_auth.py improperly evaluates authorization claims when processing JWT tokens issued for machine identities. As a result, a token holder can perform actions or access resources that exceed the privileges originally granted to that machine identity.

The exploit is publicly available, but the attack is classified as high complexity. Successful exploitation requires the attacker to already possess valid low-privileged credentials and to craft requests that exercise the flawed authorization path.

Root Cause

The root cause is improper handling of privilege assignment during JWT validation, mapped to [CWE-266] Incorrect Privilege Assignment. The handler relies on token claims without enforcing strict scope and role checks against the requested resource. This permits an entity to operate with privileges that should be reserved for a different identity class.

Attack Vector

The attack vector is network-based. An attacker with a valid M2M JWT submits requests to the litellm proxy endpoints protected by user_api_key_auth.py. By crafting requests that exploit the missing authorization checks, the attacker accesses LLM model routes, key management functions, or proxy administration endpoints that should be denied. Refer to the VulDB entry for CVE-2026-12771 and the public Proof-of-Concept Gist for technical specifics.

No verified exploit code is reproduced here. The vulnerability manifests within the JWT claim validation logic when the proxy resolves the calling identity to a set of permitted operations.

Detection Methods for CVE-2026-12771

Indicators of Compromise

  • Requests to litellm proxy administrative or key-management endpoints originating from M2M service identities that have no business need for those routes
  • Authentication events in user_api_key_auth.py logs showing JWT tokens accessing resources outside their declared scope
  • Unexpected creation, modification, or enumeration of API keys, models, or team objects from service accounts

Detection Strategies

  • Inspect litellm proxy access logs for JWT-authenticated requests that target endpoints inconsistent with the token's role or team assignment
  • Correlate spikes in 200-response calls to privileged routes against the identity baseline for each M2M client
  • Compare runtime authorization decisions against the principle of least privilege defined for each service identity

Monitoring Recommendations

  • Forward litellm proxy authentication and audit logs to a centralized SIEM and alert on privilege-sensitive endpoints invoked by M2M identities
  • Track JWT issuance and usage patterns to detect tokens being reused outside their intended service context
  • Monitor the version of deployed litellm instances and flag any running 1.82.2 or earlier

How to Mitigate CVE-2026-12771

Immediate Actions Required

  • Upgrade litellm to a version later than 1.82.2 once a fixed release is published by BerriAI
  • Rotate all M2M JWT signing keys and reissue tokens with minimal, scope-bound claims
  • Audit existing M2M identities and remove any that hold privileges beyond their operational requirement

Patch Information

No vendor advisory URL is listed in the available CVE references. Administrators should track the BerriAI litellm repository for a fixed release above version 1.82.2 and review the VulDB entry for updates. Until a patch is confirmed, treat all deployments at or below 1.82.2 as vulnerable.

Workarounds

  • Restrict network access to the litellm proxy so that only trusted clients can reach the M2M authentication endpoints
  • Enforce additional authorization at an upstream API gateway, validating JWT scopes and target routes before requests reach litellm
  • Disable the M2M JWT Handler path where not required and rely on standard API key authentication with strictly scoped keys
bash
# Configuration example: restrict proxy exposure and require gateway-enforced scopes
# 1. Bind litellm proxy to localhost only and front it with an authenticating gateway
litellm --host 127.0.0.1 --port 4000 --config /etc/litellm/config.yaml

# 2. In the gateway, enforce JWT scope and audience checks before forwarding
#    Reject tokens whose 'scope' claim does not match the requested path

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.