{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-12773", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2026-06-20T09:26:26.143Z", "datePublished": "2026-06-21T03:15:08.647Z", "dateUpdated": "2026-06-22T17:56:03.365Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-06-21T03:15:08.647Z"}, "title": "BerriAI litellm MCP Proxy user_api_key_auth_mcp.py UserAPIKeyAuth improper authentication", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-287", "lang": "en", "description": "Improper Authentication"}]}], "affected": [{"vendor": "BerriAI", "product": "litellm", "versions": [{"version": "1.59.0", "status": "affected"}, {"version": "1.59.1", "status": "affected"}, {"version": "1.59.2", "status": "affected"}, {"version": "1.59.3", "status": "affected"}, {"version": "1.59.4", "status": "affected"}, {"version": "1.59.5", "status": "affected"}, {"version": "1.59.6", "status": "affected"}, {"version": "1.59.7", "status": "affected"}, {"version": "1.59.8", "status": "affected"}], "cpes": ["cpe:2.3:a:litellm:litellm:*:*:*:*:*:*:*:*"], "modules": ["MCP Proxy"]}], "descriptions": [{"lang": "en", "value": "A weakness has been identified in BerriAI litellm up to 1.59.8. Affected is the function UserAPIKeyAuth of the file litellm/proxy/_experimental/mcp_server/auth/user_api_key_auth_mcp.py of the component MCP Proxy. Executing a manipulation can lead to improper authentication. The attack may be launched remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 6.9, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P", "baseSeverity": "MEDIUM"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 7.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R", "baseSeverity": "HIGH"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 7.3, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R", "baseSeverity": "HIGH"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR"}}], "timeline": [{"time": "2026-06-20T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2026-06-20T02:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2026-06-20T11:31:42.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "Eric-c (VulDB User)", "type": "reporter"}, {"lang": "en", "value": "VulDB CNA Team", "type": "coordinator"}], "references": [{"url": "https://vuldb.com/vuln/372515", "name": "VDB-372515 | BerriAI litellm MCP Proxy user_api_key_auth_mcp.py UserAPIKeyAuth improper authentication", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/vuln/372515/cti", "name": "VDB-372515 | CTI Indicators (IOB, IOC, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/cve/CVE-2026-12773", "name": "CVE-2026-12773 | CVE Analysis and Report", "tags": ["third-party-advisory"]}, {"url": "https://vuldb.com/submit/811282", "name": "Submit #811282 | litellm <= 1.59.8 Improper Authentication (CWE-287)", "tags": ["third-party-advisory"]}, {"url": "https://gist.github.com/YLChen-007/3cfaad10a69d7a15e4d4d458cb53309e", "tags": ["exploit"]}]}, "adp": [{"references": [{"url": "https://vuldb.com/submit/811282", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-06-22T17:55:49.325110Z", "id": "CVE-2026-12773", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-22T17:56:03.365Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-12773", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-06-22T17:55:49.325110Z"}}}], "references": [{"url": "https://vuldb.com/submit/811282", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-22T17:55:29.912Z"}}], "cna": {"title": "BerriAI litellm MCP Proxy user_api_key_auth_mcp.py UserAPIKeyAuth improper authentication", "credits": [{"lang": "en", "type": "reporter", "value": "Eric-c (VulDB User)"}, {"lang": "en", "type": "coordinator", "value": "VulDB CNA Team"}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 6.9, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 7.3, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 7.3, "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR"}}], "affected": [{"cpes": ["cpe:2.3:a:litellm:litellm:*:*:*:*:*:*:*:*"], "vendor": "BerriAI", "modules": ["MCP Proxy"], "product": "litellm", "versions": [{"status": "affected", "version": "1.59.0"}, {"status": "affected", "version": "1.59.1"}, {"status": "affected", "version": "1.59.2"}, {"status": "affected", "version": "1.59.3"}, {"status": "affected", "version": "1.59.4"}, {"status": "affected", "version": "1.59.5"}, {"status": "affected", "version": "1.59.6"}, {"status": "affected", "version": "1.59.7"}, {"status": "affected", "version": "1.59.8"}]}], "timeline": [{"lang": "en", "time": "2026-06-20T00:00:00.000Z", "value": "Advisory disclosed"}, {"lang": "en", "time": "2026-06-20T02:00:00.000Z", "value": "VulDB entry created"}, {"lang": "en", "time": "2026-06-20T11:31:42.000Z", "value": "VulDB entry last update"}], "references": [{"url": "https://vuldb.com/vuln/372515", "name": "VDB-372515 | BerriAI litellm MCP Proxy user_api_key_auth_mcp.py UserAPIKeyAuth improper authentication", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/vuln/372515/cti", "name": "VDB-372515 | CTI Indicators (IOB, IOC, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/cve/CVE-2026-12773", "name": "CVE-2026-12773 | CVE Analysis and Report", "tags": ["third-party-advisory"]}, {"url": "https://vuldb.com/submit/811282", "name": "Submit #811282 | litellm <= 1.59.8 Improper Authentication (CWE-287)", "tags": ["third-party-advisory"]}, {"url": "https://gist.github.com/YLChen-007/3cfaad10a69d7a15e4d4d458cb53309e", "tags": ["exploit"]}], "descriptions": [{"lang": "en", "value": "A weakness has been identified in BerriAI litellm up to 1.59.8. Affected is the function UserAPIKeyAuth of the file litellm/proxy/_experimental/mcp_server/auth/user_api_key_auth_mcp.py of the component MCP Proxy. Executing a manipulation can lead to improper authentication. The attack may be launched remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-287", "description": "Improper Authentication"}]}], "providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-06-21T03:15:08.647Z"}}}, "cveMetadata": {"cveId": "CVE-2026-12773", "state": "PUBLISHED", "dateUpdated": "2026-06-22T17:56:03.365Z", "dateReserved": "2026-06-20T09:26:26.143Z", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "datePublished": "2026-06-21T03:15:08.647Z", "assignerShortName": "VulDB"}, "dataVersion": "5.2"}

{}

{"bugzilla": {"description": "litellm: BerriAI litellm: Improper authentication in MCP Proxy via UserAPIKeyAuth function", "id": "2491112", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2491112"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.3", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "status": "draft"}, "cwe": "CWE-303", "details": ["A flaw was found in BerriAI litellm, within its MCP Proxy component. A remote attacker could exploit an improper authentication vulnerability in the UserAPIKeyAuth function. This could allow unauthorized access, potentially compromising the confidentiality, integrity, and availability of data within the system."], "mitigation": {"lang": "en:us", "value": "Upgrade to litellm 1.81.16 or later. As a workaround, do not configure backend MCP servers with allow_all_keys: true, and restrict network access to the LiteLLM MCP proxy endpoints."}, "name": "CVE-2026-12773", "package_state": [{"cpe": "cpe:/a:redhat:exploit_intelligence:0", "fix_state": "Affected", "package_name": "exploit-intelligence-tech-preview/vulnerability-analysis-rhel9", "product_name": "Exploit Intelligence"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Not affected", "package_name": "ansible-automation-platform-26/lightspeed-chatbot-rhel9", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Not affected", "package_name": "ansible-automation-platform-27/lightspeed-chatbot-rhel9", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Not affected", "package_name": "rhoai/odh-llama-stack-core-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Not affected", "package_name": "rhoai/odh-mlflow-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Not affected", "package_name": "rhoai/odh-trustyai-garak-lls-provider-dsp-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}], "public_date": "2026-06-21T03:15:08Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-12773\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-12773\nhttps://gist.github.com/YLChen-007/3cfaad10a69d7a15e4d4d458cb53309e\nhttps://vuldb.com/cve/CVE-2026-12773\nhttps://vuldb.com/submit/811282\nhttps://vuldb.com/vuln/372515\nhttps://vuldb.com/vuln/372515/cti"], "statement": "A flaw was found in litellm. When the LiteLLM proxy MCP authentication flow mishandles 401/403 errors from API key validation, an attacker may bypass MCP proxy authentication and reach backend MCP servers that are configured with allow_all_keys: true. This issue affects litellm versions prior to 1.81.16 as shipped in select Red Hat products.", "threat_severity": "Important"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "1.59.0"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "1.59.1"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "1.59.2"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "1.59.3"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "1.59.4"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "1.59.5"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "1.59.6"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "1.59.7"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "1.59.8"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "litellm", "source": "cna", "vendor": "BerriAI"}, "product": "litellm", "vendor": "litellm"}], "created": "2026-06-21T10:30:05.850542+00:00", "updated": "2026-06-26T14:45:06.276615+00:00", "vendors": ["litellm", "litellm$PRODUCT$litellm"]}