CVE-2026-12772 Overview
CVE-2026-12772 is a session management vulnerability in BerriAI litellm versions up to 1.82.2. The flaw resides in the authenticate_user function within litellm/proxy/auth/login_utils.py, part of the PROXY_ADMIN database API Key Generator component. Manipulation of this function results in improper session expiration handling [CWE-613]. The issue is exploitable remotely by an authenticated attacker with low privileges. A public proof-of-concept has been published, increasing the likelihood of opportunistic abuse against exposed litellm proxy deployments.
Critical Impact
Authenticated remote attackers can abuse improper session expiration logic in the litellm proxy admin component, leading to limited compromise of confidentiality, integrity, and availability.
Affected Products
- BerriAI litellm up to and including version 1.82.2
- litellm/proxy/auth/login_utils.py — authenticate_user function
- PROXY_ADMIN database API Key Generator component
Discovery Timeline
- 2026-06-21 - CVE-2026-12772 published to NVD
- 2026-06-24 - Last updated in NVD database
Technical Details for CVE-2026-12772
Vulnerability Analysis
The vulnerability is classified as Insufficient Session Expiration [CWE-613]. The authenticate_user function in litellm/proxy/auth/login_utils.py fails to properly enforce session expiration semantics within the PROXY_ADMIN database API Key Generator workflow. An authenticated user with low privileges can manipulate session handling to extend or retain access beyond expected lifetime constraints. The exploit was publicly disclosed, and the vendor was contacted prior to publication. The reported impact is limited across confidentiality, integrity, and availability, consistent with the LOW severity classification.
Root Cause
The root cause is improper enforcement of session lifetime within authenticate_user. The function does not adequately invalidate or revalidate session state when generating or rotating administrative API keys. This permits an attacker holding valid low-privilege credentials to operate within a session that should otherwise be expired. Because the proxy admin path issues credentials for downstream LLM API access, residual sessions can be leveraged for unauthorized actions through the proxy.
Attack Vector
The attack is initiated over the network against an exposed litellm proxy instance. The attacker requires existing low-privilege authentication to the proxy but does not require user interaction. By interacting with the API Key Generator endpoints backed by authenticate_user, the attacker manipulates session state to bypass expiration controls. EPSS data places the exploitation probability at 0.262% with a percentile of 17.44, reflecting public PoC availability but limited observed targeting. Specific exploitation steps are documented in the public GitHub Gist proof-of-concept.
The vulnerability manifests in the authenticate_user session handling logic. See the GitHub Gist PoC and VulDB CVE-2026-12772 for technical details.
Detection Methods for CVE-2026-12772
Indicators of Compromise
- Repeated authentication or API key generation requests to litellm proxy admin endpoints from a single low-privilege account.
- Active sessions or API keys persisting beyond configured expiration windows in litellm audit logs.
- Unexpected calls to authenticate_user paths under litellm/proxy/auth/login_utils.py correlated with admin key issuance.
Detection Strategies
- Audit litellm proxy logs for session tokens reused after their nominal expiration time.
- Correlate API key creation events with originating session identifiers to detect sessions that should have terminated.
- Alert on administrative actions performed by accounts whose last interactive login predates the configured session lifetime.
Monitoring Recommendations
- Forward litellm proxy authentication and admin API logs to a centralized SIEM for retention and correlation.
- Track issuance rate of admin API keys per account and flag deviations from baseline.
- Monitor network access to the litellm proxy admin interface and restrict source IPs to known operator ranges.
How to Mitigate CVE-2026-12772
Immediate Actions Required
- Upgrade BerriAI litellm to a release later than 1.82.2 once the vendor publishes a fixed version.
- Rotate all existing PROXY_ADMIN API keys and force re-authentication for proxy admin users.
- Restrict network exposure of the litellm proxy admin endpoints to trusted management networks only.
Patch Information
No vendor advisory URL is published in the enriched CVE data at the time of writing. Track upstream commits and releases in the BerriAI litellm project and consult VulDB Vulnerability #372514 for fix references as they become available.
Workarounds
- Place the litellm proxy behind an authenticating reverse proxy that enforces independent session expiration.
- Reduce server-side session and API key lifetime defaults to minimize the window for abuse.
- Disable or firewall the proxy admin API Key Generator endpoints for accounts that do not require key issuance.
# Example: restrict litellm proxy admin to a management subnet via iptables
iptables -A INPUT -p tcp --dport 4000 -s 10.0.10.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 4000 -j DROP
# Example: shorten session lifetime via environment configuration
export LITELLM_SESSION_TTL_SECONDS=900
export LITELLM_MASTER_KEY_TTL_SECONDS=3600
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

