CVE-2026-12773 Overview
CVE-2026-12773 is an improper authentication vulnerability [CWE-287] affecting BerriAI LiteLLM up to version 1.59.8. The flaw resides in the UserAPIKeyAuth function within litellm/proxy/_experimental/mcp_server/auth/user_api_key_auth_mcp.py, part of the Model Context Protocol (MCP) Proxy component. Attackers can manipulate authentication handling remotely without user interaction or prior credentials. A public exploit has been disclosed, increasing the risk of opportunistic abuse against exposed LiteLLM proxy deployments.
Critical Impact
Remote attackers can bypass authentication on the LiteLLM MCP Proxy, gaining unauthorized access to proxied LLM resources and API key-protected functionality.
Affected Products
- BerriAI LiteLLM versions up to and including 1.59.8
- LiteLLM MCP Proxy component (litellm/proxy/_experimental/mcp_server/auth/user_api_key_auth_mcp.py)
- Deployments exposing the UserAPIKeyAuth MCP authentication path
Discovery Timeline
- 2026-06-21 - CVE-2026-12773 published to NVD
- 2026-06-24 - Last updated in NVD database
Technical Details for CVE-2026-12773
Vulnerability Analysis
The vulnerability stems from improper authentication logic in the UserAPIKeyAuth function used by the LiteLLM MCP Proxy. The MCP Proxy brokers requests between MCP clients and language model backends, relying on UserAPIKeyAuth to validate API keys before forwarding requests. Flawed handling within this function allows attackers to manipulate inputs in a way that causes authentication to succeed without valid credentials. Because the attack vector is network-based and requires neither privileges nor user interaction, any internet-reachable LiteLLM instance prior to the fixed release is at risk. With a public proof of concept available via the referenced GitHub PoC Repository, exploitation tooling is accessible to opportunistic threat actors targeting AI infrastructure.
Root Cause
The root cause is an improper authentication check [CWE-287] in UserAPIKeyAuth within the experimental MCP server authentication module. The function fails to consistently enforce credential validation across all execution paths, permitting requests to proceed in an authenticated state when they should be rejected. This is a logic flaw in the authentication routine rather than a cryptographic weakness.
Attack Vector
An attacker sends crafted HTTP requests to the LiteLLM MCP Proxy endpoint protected by UserAPIKeyAuth. By triggering the flawed branch within the authentication function, the attacker obtains the same level of access a legitimate API key holder would receive. The exploit can be launched remotely against any reachable instance, with no user interaction required. Technical details and reproduction steps are documented in the VulDB Vulnerability Details entry.
Detection Methods for CVE-2026-12773
Indicators of Compromise
- Unexpected successful authentications to the MCP Proxy endpoint without a corresponding valid API key in audit logs.
- Requests to litellm/proxy/_experimental/mcp_server/ paths originating from unfamiliar IP addresses or user agents.
- Anomalous spikes in LLM backend usage or token consumption tied to the MCP Proxy.
- Outbound calls from the LiteLLM service to attacker-controlled MCP servers or model endpoints.
Detection Strategies
- Inspect LiteLLM proxy access logs for MCP routes returning HTTP 200 responses on requests lacking valid Authorization headers or API key parameters.
- Compare authenticated user identifiers in MCP request logs against your provisioned API key inventory and flag mismatches.
- Deploy signatures for the public PoC traffic patterns referenced in the disclosure against reverse proxies and WAFs fronting LiteLLM.
Monitoring Recommendations
- Forward LiteLLM application and proxy logs to a centralized analytics platform and alert on authentication anomalies on MCP endpoints.
- Track API key usage baselines and alert on first-seen keys, unusual source ASNs, or sudden volume increases.
- Monitor process and network telemetry on hosts running LiteLLM for unexpected outbound connections following MCP requests.
How to Mitigate CVE-2026-12773
Immediate Actions Required
- Upgrade LiteLLM to a version later than 1.59.8 that addresses the UserAPIKeyAuth flaw once published by the vendor.
- Restrict network exposure of the LiteLLM MCP Proxy to trusted internal networks or place it behind an authenticating reverse proxy.
- Rotate all LiteLLM-managed API keys and review backend LLM provider billing for unauthorized usage.
- Audit MCP Proxy logs for prior exploitation attempts dating back to deployment of any vulnerable version.
Patch Information
No vendor advisory URL is currently listed in the enriched data. Administrators should monitor the LiteLLM GitHub repository and the VulDB CVE Details page for fix release information. The vendor was contacted in advance of public disclosure according to the VulDB submission.
Workarounds
- Disable the experimental MCP server module if it is not required by your deployment.
- Enforce authentication at an upstream gateway (for example, an API gateway or service mesh) that independently validates client credentials before reaching LiteLLM.
- Apply network-layer access control lists to limit MCP Proxy reachability to known client IP ranges.
- Implement strict egress filtering from the LiteLLM host to prevent abuse of compromised proxy sessions.
# Example: restrict MCP Proxy exposure with an upstream nginx auth check
location /mcp/ {
auth_request /validate-key;
proxy_pass http://litellm_backend;
}
location = /validate-key {
internal;
proxy_pass http://auth_service/verify;
proxy_pass_request_body off;
proxy_set_header Content-Length "";
proxy_set_header X-Original-URI $request_uri;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

