CVE-2026-12795 Overview
CVE-2026-12795 is a missing authentication vulnerability in BerriAI litellm through version 1.82.2. The flaw resides in the json.dumps call within litellm/proxy/management_endpoints/ui_sso.py, which is part of the SSO Debug Flow component. An unauthenticated remote attacker can manipulate the affected code path to access functionality that should require authentication [CWE-287]. The exploit has been publicly disclosed and the vendor was contacted prior to disclosure. litellm is a widely deployed proxy for large language model APIs, which makes exposed debug endpoints a concern for organizations running it in production.
Critical Impact
Remote attackers can reach the SSO debug flow without authentication, potentially exposing sensitive configuration or session details handled by the litellm proxy.
Affected Products
- BerriAI litellm versions up to and including 1.82.2
- Deployments exposing the litellm proxy management UI
- Self-hosted litellm instances using the SSO Debug Flow component
Discovery Timeline
- 2026-06-21 - CVE-2026-12795 published to NVD
- 2026-06-24 - Last updated in NVD database
Technical Details for CVE-2026-12795
Vulnerability Analysis
The vulnerability resides in litellm/proxy/management_endpoints/ui_sso.py, which implements the Single Sign-On (SSO) debug flow for the litellm proxy administrative interface. The affected code path calls json.dumps to serialize debug data, but the surrounding handler does not enforce authentication on requests reaching it. As a result, any remote client able to reach the proxy's network port can invoke the debug endpoint.
The issue is classified as Missing Authentication for Critical Function [CWE-287]. Because litellm is commonly deployed as a gateway between internal applications and third-party LLM providers, exposed debug endpoints can leak SSO configuration, request metadata, or environment context that supports follow-on attacks. The attack requires no user interaction and no prior privileges on the target system.
Root Cause
The root cause is an absent authorization check on the SSO debug handler in ui_sso.py. The handler serializes internal state via json.dumps and returns it to the caller without verifying session credentials, API tokens, or administrator role. Debug interfaces should be gated by authentication and disabled in production, but this code path treats the request as trusted by default.
Attack Vector
An attacker sends an unauthenticated HTTP request directly to the SSO debug endpoint exposed by the litellm proxy. Because the network attack vector requires no credentials and no user interaction, automated scanners can identify and exploit vulnerable instances at scale. The publicly disclosed proof-of-concept demonstrates how to reach the endpoint and trigger the json.dumps response path. See the GitHub Gist PoC Repository and the VulDB CVE-2026-12795 Entry for technical details.
// No verified exploit code available - refer to the linked PoC and VulDB entry for technical specifics.
Detection Methods for CVE-2026-12795
Indicators of Compromise
- Unauthenticated HTTP requests to litellm proxy paths associated with the SSO debug flow (handlers defined in ui_sso.py).
- Responses containing JSON-serialized SSO configuration or session debug data returned to external clients.
- Access log entries showing requests to management endpoints from IP addresses outside the administrative network.
Detection Strategies
- Inventory all litellm deployments and identify instances running version 1.82.2 or earlier exposed to untrusted networks.
- Review reverse proxy and application logs for requests to /sso or ui_sso-related routes lacking authentication headers or session cookies.
- Correlate access to the proxy management UI with subsequent anomalous API key usage or SSO callback activity.
Monitoring Recommendations
- Alert on any external traffic reaching litellm management endpoints; these should only be accessible from trusted administrative ranges.
- Monitor for spikes in 200-status responses to debug routes that historically saw little traffic.
- Track outbound LLM API usage patterns after suspected exposure to detect credential reuse or abuse.
How to Mitigate CVE-2026-12795
Immediate Actions Required
- Upgrade litellm to a release later than 1.82.2 that addresses the missing authentication check in ui_sso.py.
- Restrict network exposure of the litellm proxy management UI to administrative networks or VPN-only access.
- Rotate SSO secrets and API keys handled by affected litellm instances if logs show unauthenticated access to debug routes.
Patch Information
Review the VulDB Vulnerability Report #372557 and the BerriAI litellm project repository for the fixed release. Apply the upgrade to all proxy instances and verify the SSO debug handler now enforces authentication before deserializing or returning state.
Workarounds
- Block external access to SSO debug routes at the reverse proxy or load balancer until the patch is applied.
- Disable the SSO Debug Flow component in environments where it is not required for troubleshooting.
- Place the litellm proxy behind an authenticating gateway that rejects unauthenticated requests to management endpoints.
# Example nginx rule to block external access to SSO debug routes
location ~* /sso/debug {
allow 10.0.0.0/8; # administrative network only
deny all;
proxy_pass http://litellm_upstream;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

