Litellm: Ten Vulnerabilities Including Auth Bypass and SSRF Disclosed Together
Key findings • Ten vulnerabilities in Litellm disclosed on June 21, 2026, affecting versions up to 1.82.5. • Key issues include improper authorization, server-side request forgery (SSRF), and…

Key findings
- Ten vulnerabilities in Litellm disclosed on June 21, 2026, affecting versions up to 1.82.5.
- Key issues include improper authorization, server-side request forgery (SSRF), and session expiration flaws.
- Multiple CVEs have publicly disclosed exploits, increasing immediate risk.
- Vulnerabilities span core components including proxy management and authentication flows.
- Users should update Litellm to patched versions to mitigate risks.
On June 21, 2026, a batch of ten security vulnerabilities was disclosed for BerriAI's Litellm, a popular Python library for interacting with various large language models. The vulnerabilities, disclosed within a 10-hour window, span several components of Litellm, including its proxy management, authentication flows, and experimental features. The disclosures highlight issues such as improper authorization, server-side request forgery (SSRF), and session expiration, impacting versions up to 1.82.5.
Several vulnerabilities center on authorization flaws. CVE-2026-12799 and CVE-2026-12770, affecting internal_user_endpoints.py and key_management_endpoints.py respectively, involve improper authorization. Similarly, CVE-2026-12797 in banned_keywords.py and CVE-2026-12773 in user_api_key_auth_mcp.py also suffer from improper authorization issues. CVE-2026-12771, related to the M2M JWT Handler, also presents an improper authorization vulnerability.
Server-side request forgery (SSRF) is another significant theme within this batch. CVE-2026-12798, impacting the MCP OpenAPI Spec Loader via the load_openapi_spec_async function, and CVE-2026-12774, affecting the MCP Server Connection Testing component through the _execute_with_mcp_client function, both allow for SSRF attacks.
Session expiration vulnerabilities were also identified. CVE-2026-12796, related to the SSO Authentication Flow, and CVE-2026-12772, concerning the PROXY_ADMIN database API Key Generator, both stem from issues in their respective authentication functions (get_redirect_response_from_openid and authenticate_user), leading to session expiration. Additionally, CVE-2026-12795, within the SSO Debug Flow, suffers from missing authentication.
The disclosures indicate that several of these vulnerabilities have been publicly disclosed or have publicly known exploits, suggesting a potential for active exploitation. Specifically, CVE-2026-12795, CVE-2026-12773, CVE-2026-12772, and CVE-2026-12770 have had their exploits publicly disclosed.
Affected versions of Litellm range up to 1.82.5, with specific versions noted for some CVEs: up to 1.82.2 for CVE-2026-12799, CVE-2026-12798, CVE-2026-12796, CVE-2026-12795, CVE-2026-12774, CVE-2026-12772, CVE-2026-12771, and CVE-2026-12770; up to 1.59.8 for CVE-2026-12773; and up to 1.63.1 for CVE-2026-12770. Users are advised to update to patched versions as soon as possible to mitigate these risks.
This coordinated disclosure of multiple vulnerabilities underscores the importance of timely patching and security reviews for widely used libraries like Litellm. Users should prioritize updating their Litellm installations to the latest secure versions to protect against potential exploitation of these authorization, SSRF, and session management flaws. Further investigation into the specific attack vectors and impact of each CVE is recommended for organizations utilizing Litellm in their applications.