BerriAI litellm MCP OpenAPI Spec Loader openapi_to_mcp_generator.py load_openapi_spec_async server-side request forgery
Description
A weakness has been identified in BerriAI litellm up to 1.82.2. Affected by this vulnerability is the function load_openapi_spec_async of the file litellm/proxy/_experimental/mcp_server/openapi_to_mcp_generator.py of the component MCP OpenAPI Spec Loader. This manipulation of the argument spec_path causes server-side request forgery. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2Patches
Vulnerability mechanics
Root cause
"Missing URL validation in load_openapi_spec_async() allows server-side request forgery via user-controlled spec_path."
Attack vector
An authenticated attacker (any API key holder, not only admins) sends a POST request to `/mcp-rest/test/tools/list` with a `spec_path` parameter pointing to an internal or attacker-controlled URL [ref_id=1]. The server fetches that URL via `httpx.get()` without any IP-range filtering, cloud-metadata blocking, or DNS-rebinding protection, enabling internal service discovery, port scanning, and cloud metadata credential exfiltration [CWE-918].
Affected code
The vulnerability resides in `litellm/proxy/_experimental/mcp_server/openapi_to_mcp_generator.py` in the `load_openapi_spec_async()` function (lines 75–82), which issues an unvalidated HTTP GET request to a user-supplied `spec_path` URL. The call chain flows from the `/mcp-rest/test/tools/list` endpoint in `rest_endpoints.py` (lines 1043–1054) through `_preview_openapi_tools()` (lines 971–980) to the vulnerable sink.
What the fix does
The advisory does not include a published patch; the affected versions column is blank for "Patched versions" [ref_id=1]. To remediate, the `load_openapi_spec_async()` function must validate the `spec_path` URL before issuing the HTTP request — blocking private IP ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 127.0.0.0/8), cloud metadata endpoints (169.254.169.254), and implementing a hostname allowlist or DNS-rebinding protection. Without such validation, any authenticated user can force the server to make arbitrary outbound requests.
Preconditions
- authAttacker must have a valid API key for the LiteLLM proxy (any authenticated user, not admin-only)
- configThe MCP REST API must be enabled (enabled by default)
- networkAttacker must be able to send HTTP POST requests to the /mcp-rest/test/tools/list endpoint
- inputThe spec_path parameter is user-controlled and passed directly to the HTTP client
Reproduction
1. Start a LiteLLM proxy with a valid API key and PostgreSQL database. 2. Run the exploit environment: `git clone <repo> && cd REPORT-mcp-spec-path-ssrf-variant-exp/ && docker compose up -d`. 3. Trigger SSRF to an internal service: `curl -X POST "http://localhost:4001/mcp-rest/test/tools/list" -H "Authorization: Bearer sk-1234" -H "Content-Type: application/json" -d '{"spec_path": "http://internal-service:8080/", "transport": "sse"}'`. 4. Observe HTTP 200 response with parsed content, confirming the server fetched the internal URL [ref_id=1].
Generated on Jun 22, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- gist.github.com/YLChen-007/c1104c529975699ba347feedfbe02c5amitreexploit
- vuldb.com/cve/CVE-2026-12798mitrethird-party-advisory
- vuldb.com/submit/811290mitrethird-party-advisory
- vuldb.com/vuln/372560mitrevdb-entrytechnical-description
- vuldb.com/vuln/372560/ctimitresignaturepermissions-required
News mentions
0No linked articles in our index yet.