BerriAI litellm M2M JWT user_api_key_auth.py improper authorization
Description
A vulnerability was identified in BerriAI litellm up to 1.82.2. This affects an unknown function of the file litellm/proxy/auth/user_api_key_auth.py of the component M2M JWT Handler. Such manipulation leads to improper authorization. The attack can be launched remotely. A high complexity level is associated with this attack. The exploitability is reported as difficult. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
1Patches
Vulnerability mechanics
Root cause
"Missing route-level authorization guard in the JWT M2M authentication path allows any JWT with the admin scope to access all management endpoints."
Attack vector
An attacker who possesses a valid M2M JWT containing the `litellm_proxy_admin` scope can call any UI management endpoint (e.g., `/user/new`, `/team/new`, `/key/generate`) on a LiteLLM proxy that has `enable_jwt_auth: true` configured. The JWT authentication path does not enforce the same route-level restrictions that the OAuth2 path does, so the token is accepted as a `PROXY_ADMIN` for all routes [CWE-285]. The attack is remote, requires no prior authentication beyond the JWT itself, and is considered difficult due to the need to obtain or forge a valid M2M JWT with the admin scope [ref_id=1].
Affected code
The vulnerability resides in `litellm/proxy/auth/user_api_key_auth.py`. The JWT M2M authentication block (lines 673–852) lacks a `RouteChecks.is_llm_api_route()` guard, allowing a JWT with the `litellm_proxy_admin` scope to return a `PROXY_ADMIN` role for **any** route, including management endpoints such as `/user/new`, `/team/new`, and `/key/generate`. In contrast, the OAuth2 M2M path (lines 641–668) correctly restricts access to LLM API and info routes only [ref_id=1].
What the fix does
The advisory does not provide a patch diff, but the fix would mirror the OAuth2 M2M guard already present at lines 641–647: before returning a `PROXY_ADMIN` auth object, the JWT path must check `RouteChecks.is_llm_api_route(route)` or `RouteChecks.is_info_route(route)` and reject management routes. Without this guard, any JWT with the `litellm_proxy_admin` scope is treated as a full admin for all endpoints, defeating the intended UI SSO separation [ref_id=1].
Preconditions
- configThe LiteLLM proxy must have `enable_jwt_auth: true` in `general_settings` and a valid JWKS endpoint configured via `JWT_PUBLIC_KEY_URL`.
- authThe attacker must possess a valid M2M JWT whose scope claim matches the configured `admin_jwt_scope` (default `litellm_proxy_admin`).
- networkThe attack is launched over the network against the proxy's HTTP API.
Generated on Jun 21, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- gist.github.com/YLChen-007/70e4e106527f74ddf17953ff0f6c248dmitreexploit
- vuldb.com/cve/CVE-2026-12771mitrethird-party-advisory
- vuldb.com/submit/811280mitrethird-party-advisory
- vuldb.com/vuln/372513mitrevdb-entry
- vuldb.com/vuln/372513/ctimitresignaturepermissions-required
News mentions
0No linked articles in our index yet.