CVE-2026-12773

Source
https://cve.org/CVERecord?id=CVE-2026-12773
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-12773.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-12773
Published
2026-06-21T03:15:08.647Z
Modified
2026-07-08T08:12:39.896900400Z
Severity
  • 5.5 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P CVSS Calculator
Summary
BerriAI litellm MCP Proxy user_api_key_auth_mcp.py UserAPIKeyAuth improper authentication
Details

A weakness has been identified in BerriAI litellm up to 1.59.8. Affected is the function UserAPIKeyAuth of the file litellm/proxy/experimental/mcpserver/auth/userapikeyauthmcp.py of the component MCP Proxy. Executing a manipulation can lead to improper authentication. The attack may be launched remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure.

Database specific
{
    "unresolved_ranges": [
        {
            "source": "AFFECTED_FIELD",
            "extracted_events": [
                {
                    "introduced": "1.59.0"
                },
                {
                    "last_affected": "1.59.0"
                },
                {
                    "introduced": "1.59.1"
                },
                {
                    "last_affected": "1.59.1"
                },
                {
                    "introduced": "1.59.2"
                },
                {
                    "last_affected": "1.59.2"
                },
                {
                    "introduced": "1.59.3"
                },
                {
                    "last_affected": "1.59.3"
                },
                {
                    "introduced": "1.59.4"
                },
                {
                    "last_affected": "1.59.4"
                },
                {
                    "introduced": "1.59.5"
                },
                {
                    "last_affected": "1.59.5"
                },
                {
                    "introduced": "1.59.6"
                },
                {
                    "last_affected": "1.59.6"
                },
                {
                    "introduced": "1.59.7"
                },
                {
                    "last_affected": "1.59.7"
                },
                {
                    "introduced": "1.59.8"
                },
                {
                    "last_affected": "1.59.8"
                }
            ]
        }
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/12xxx/CVE-2026-12773.json",
    "cna_assigner": "VulDB",
    "cwe_ids": [
        "CWE-287"
    ]
}
References

Affected packages

Git / github.com/berriai/litellm

Affected ranges

Type
GIT
Repo
https://github.com/berriai/litellm
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "source": "CPE_RANGE",
    "cpe": "cpe:2.3:a:litellm:litellm:*:*:*:*:*:*:*:*",
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "1.59.9"
        }
    ]
}

Affected versions

1.*
1.16.12
1.16.13
1.16.14
1.34.2
1.34.20-stable
1.34.28.dev3
1.34.35-stable
1.34.39.dev1
1.35.1.dev1
1.35.13.dev1
1.35.24.dev6
1.35.33.dev4
1.35.36.dev1
1.35.5.dev2
1.40.8.dev1
1.41.11.dev5
1.41.12.dev1
1.41.14.dev15
1.44.6
Other
latest
pr-litellm-spend-logs-db
stable
test
v.*
v.1.32.34-stable
v0.*
v0.1.387
v0.1.492
v0.1.574
v0.1.738
v0.11.1
v0.8.4
v1.*
v1.1.0
v1.10.4
v1.11.1
v1.15.0
v1.15.5
v1.16-test2
v1.16-test3
v1.16-test4
v1.16.13
v1.16.15
v1.16.16
v1.16.17
v1.16.17-test
v1.16.17-test2
v1.16.17-test3
v1.16.18
v1.16.19
v1.16.20
v1.16.20.dev1
v1.16.20.dev3
v1.16.21
v1.16.3
v1.16.6
v1.17.0
v1.17.1
v1.17.10
v1.17.12
v1.17.13
v1.17.14
v1.17.15
v1.17.16
v1.17.17
v1.17.18
v1.17.2
v1.17.3
v1.17.4
v1.17.5
v1.17.6
v1.17.7
v1.17.8
v1.17.9
v1.18.0
v1.18.1
v1.18.10
v1.18.11
v1.18.12
v1.18.13
v1.18.2
v1.18.4
v1.18.5
v1.18.6
v1.18.7
v1.18.8
v1.18.9
v1.19.0
v1.19.2
v1.19.3
v1.19.4
v1.19.6
v1.20.0
v1.20.1
v1.20.2
v1.20.3
v1.20.5
v1.20.6
v1.20.7
v1.20.8
v1.20.9
v1.21.0
v1.21.1
v1.21.4
v1.21.5
v1.21.6
v1.21.7
v1.22.10
v1.22.11
v1.22.2
v1.22.3
v1.22.5
v1.22.8
v1.22.9
v1.23.0
v1.23.1
v1.23.10
v1.23.12
v1.23.14
v1.23.15
v1.23.16
v1.23.2
v1.23.3
v1.23.4
v1.23.5
v1.23.7
v1.23.8
v1.23.9
v1.24.1
v1.24.3
v1.24.5
v1.24.6
v1.25.0
v1.25.1
v1.25.2
v1.26.0
v1.26.1
v1.26.10
v1.26.11
v1.26.13
v1.26.2
v1.26.3
v1.26.4
v1.26.5
v1.26.6
v1.26.7
v1.26.8
v1.26.9
v1.27.1
v1.27.10
v1.27.14
v1.27.15
v1.27.4
v1.27.6
v1.27.7
v1.27.8
v1.27.9
v1.28.0
v1.28.1
v1.28.10
v1.28.11
v1.28.13
v1.28.2
v1.28.3
v1.28.4
v1.28.6
v1.28.7
v1.28.8
v1.28.9
v1.29.1
v1.29.3
v1.29.4
v1.29.5
v1.29.7
v1.30.0
v1.30.1
v1.30.2
v1.30.3
v1.30.4
v1.30.5
v1.30.6
v1.30.7
v1.31.10
v1.31.12
v1.31.12-dev
v1.31.12-dev1
v1.31.12-dev3
v1.31.13
v1.31.14
v1.31.15
v1.31.16
v1.31.17
v1.31.2
v1.31.3
v1.31.4
v1.31.5
v1.31.6
v1.31.7
v1.31.8
v1.31.9
v1.32.1
v1.32.3
v1.32.33-stable
v1.32.33.dev1
v1.32.4
v1.32.7
v1.32.7.dev1
v1.32.7.dev3
v1.32.7.dev5
v1.32.9
v1.33.0
v1.33.1
v1.33.2
v1.33.3
v1.33.4
v1.33.7
v1.33.8
v1.33.9
v1.34.0
v1.34.1
v1.34.10
v1.34.10.dev1
v1.34.12
v1.34.13
v1.34.14
v1.34.16
v1.34.17
v1.34.18
v1.34.19
v1.34.20
v1.34.21
v1.34.21-stable
v1.34.22
v1.34.22-stable
v1.34.22.dev15-stable
v1.34.23-stable
v1.34.25
v1.34.26
v1.34.27
v1.34.28
v1.34.28.dev12
v1.34.29
v1.34.3
v1.34.33
v1.34.34
v1.34.34.dev1
v1.34.35
v1.34.36
v1.34.36.dev2
v1.34.37
v1.34.37.dev1
v1.34.38
v1.34.39
v1.34.4
v1.34.4.dev1
v1.34.4.dev2
v1.34.40
v1.34.41
v1.34.42
v1.34.5
v1.34.6
v1.34.8
v1.34.8.dev1
v1.35.0
v1.35.1
v1.35.1.dev1
v1.35.1.dev2
v1.35.10
v1.35.11
v1.35.12
v1.35.13
v1.35.14
v1.35.15
v1.35.15-stable
v1.35.16
v1.35.17
v1.35.18
v1.35.19
v1.35.2
v1.35.20
v1.35.20.dev2
v1.35.21
v1.35.21-stable
v1.35.23
v1.35.24
v1.35.24.dev1
v1.35.25
v1.35.26
v1.35.26.dev1
v1.35.28
v1.35.28.dev1
v1.35.29
v1.35.3
v1.35.30
v1.35.31
v1.35.32
v1.35.32.dev1
v1.35.33
v1.35.33.dev1
v1.35.33.dev2
v1.35.33.dev3
v1.35.34
v1.35.35
v1.35.35.dev1
v1.35.36
v1.35.36-dev2
v1.35.37
v1.35.38
v1.35.38-stable
v1.35.4
v1.35.5
v1.35.6
v1.35.7
v1.35.8
v1.35.8.dev1
v1.36.0
v1.36.1
v1.36.2
v1.36.2-stable
v1.36.3
v1.36.4
v1.36.4-stable
v1.37.0
v1.37.0.dev_version_headers
v1.37.10
v1.37.11
v1.37.12
v1.37.12-stable
v1.37.12.dev1
v1.37.13
v1.37.13-stable
v1.37.14
v1.37.16
v1.37.16-stable
v1.37.17
v1.37.19
v1.37.19-stable
v1.37.2
v1.37.20
v1.37.20.dev1
v1.37.3
v1.37.3-stable
v1.37.5
v1.37.5-stable
v1.37.6
v1.37.7
v1.37.7-stable
v1.37.9
v1.37.9-stable
v1.38.0
v1.38.0-stable
v1.38.1
v1.38.10
v1.38.11
v1.38.12
v1.38.2
v1.38.3
v1.38.4
v1.38.4-stable
v1.38.5
v1.38.7
v1.38.7-stable
v1.38.8
v1.38.8-stable
v1.39.2
v1.39.3
v1.39.4
v1.39.5
v1.39.5-stable
v1.39.6
v1.40.0
v1.40.1
v1.40.1.dev2
v1.40.1.dev4
v1.40.10
v1.40.11
v1.40.12
v1.40.13
v1.40.14
v1.40.15
v1.40.16
v1.40.17
v1.40.19
v1.40.2
v1.40.2-stable
v1.40.20
v1.40.21
v1.40.22
v1.40.24
v1.40.25
v1.40.26
v1.40.27
v1.40.28
v1.40.29
v1.40.3
v1.40.3-stable
v1.40.31
v1.40.4
v1.40.5
v1.40.6
v1.40.7
v1.40.7.dev1
v1.40.8
v1.40.8-stable
v1.40.9
v1.40.9-stable
v1.41.0
v1.41.0-stable
v1.41.1
v1.41.11
v1.41.11.dev1
v1.41.12
v1.41.13
v1.41.14
v1.41.14.dev10
v1.41.14.dev8
v1.41.15
v1.41.17
v1.41.18
v1.41.19
v1.41.2
v1.41.2-stable
v1.41.20
v1.41.21
v1.41.22
v1.41.23
v1.41.23-stable
v1.41.24
v1.41.24.dev1
v1.41.25
v1.41.26
v1.41.26.dev1
v1.41.27
v1.41.28
v1.41.3
v1.41.3.dev2
v1.41.4
v1.41.4.dev1
v1.41.5
v1.41.5.dev1
v1.41.6
v1.41.6.dev1
v1.41.7
v1.41.8
v1.41.8.dev1
v1.41.8.dev2
v1.42.0
v1.42.0-stable
v1.42.1
v1.42.10
v1.42.10-stable
v1.42.11
v1.42.12
v1.42.2
v1.42.2-stable
v1.42.3
v1.42.3-stable
v1.42.4
v1.42.4-stable
v1.42.5
v1.42.5-dev1
v1.42.5-dev2
v1.42.5-stable
v1.42.6
v1.42.7
v1.42.7-stable
v1.42.8
v1.42.9
v1.42.9-stable
v1.42.9-stable-fix
v1.42.9.dev1
v1.43.0
v1.43.1
v1.43.1-dev1
v1.43.10
v1.43.10-stable
v1.43.12
v1.43.13
v1.43.13-stable
v1.43.15
v1.43.15-stable
v1.43.16
v1.43.16-stable
v1.43.17
v1.43.18
v1.43.18-stable
v1.43.19
v1.43.19-stable
v1.43.19.dev1
v1.43.19.dev2
v1.43.2
v1.43.3
v1.43.4
v1.43.4.dev5
v1.43.5
v1.43.5-stable
v1.43.6
v1.43.6-stable
v1.43.6.dev1
v1.43.7
v1.43.7-stable
v1.43.9
v1.44.1
v1.44.10
v1.44.10-stable
v1.44.11
v1.44.11-stable
v1.44.12
v1.44.12-stable
v1.44.13
v1.44.13-stable
v1.44.14
v1.44.14-stable
v1.44.15
v1.44.15-stable
v1.44.16
v1.44.16-stable
v1.44.17
v1.44.17-stable
v1.44.18
v1.44.18-stable
v1.44.19
v1.44.19-stable
v1.44.2
v1.44.21
v1.44.21-stable
v1.44.22
v1.44.22-stable
v1.44.23
v1.44.23-stable
v1.44.24
v1.44.25
v1.44.26
v1.44.27
v1.44.28
v1.44.3
v1.44.4
v1.44.4.dev2
v1.44.5
v1.44.6
v1.44.6-stable
v1.44.7
v1.44.8
v1.44.8-dev1
v1.44.9
v1.45.0
v1.46.0
v1.46.1
v1.46.2
v1.46.4
v1.46.5
v1.46.6
v1.46.7
v1.46.8
v1.47.0
v1.47.1
v1.47.2
v1.47.2.dev4
v1.48.0
v1.48.1
v1.48.10
v1.48.11
v1.48.11-stable
v1.48.12
v1.48.14
v1.48.14-stable
v1.48.15
v1.48.16
v1.48.16-stable
v1.48.17
v1.48.17-stable
v1.48.18
v1.48.19
v1.48.19-stable
v1.48.2
v1.48.2.dev8
v1.48.3
v1.48.4
v1.48.4-stable
v1.48.5
v1.48.5-stable
v1.48.5.dev1
v1.48.6
v1.48.7
v1.48.7-stable
v1.48.8
v1.48.8-stable
v1.48.9
v1.48.9-stable
v1.49.0
v1.49.0-stable
v1.49.1
v1.49.2
v1.49.2-stable
v1.49.3
v1.49.3-stable
v1.49.4
v1.49.5
v1.49.6
v1.49.6-stable
v1.49.7
v1.49.7-stable
v1.50.0
v1.50.0-stable
v1.50.1
v1.50.1-stable
v1.50.2
v1.50.2-stable
v1.50.4
v1.50.4-stable
v1.51.0
v1.51.0-stable
v1.51.1
v1.51.1-stable
v1.51.2
v1.51.3
v1.51.3.dev10
v1.52.0
v1.52.0-stable
v1.52.1
v1.52.10
v1.52.11
v1.52.12
v1.52.14
v1.52.15
v1.52.16
v1.52.16.dev1
v1.52.2
v1.52.3
v1.52.4
v1.52.5
v1.52.6
v1.52.8
v1.52.9
v1.53.1
v1.53.2
v1.53.3
v1.53.4
v1.53.5
v1.53.6
v1.53.7
v1.53.7-stable
v1.53.7.dev4
v1.53.8
v1.53.9
v1.54.0
v1.54.1
v1.55.0
v1.55.1
v1.55.10
v1.55.11
v1.55.12
v1.55.2
v1.55.3
v1.55.4
v1.55.4-test-release
v1.55.4-test-release-2
v1.55.8
v1.55.9
v1.55.9-test
v1.55.9-test2
v1.56.10
v1.56.2
v1.56.3
v1.56.4
v1.56.5
v1.56.6
v1.56.8
v1.56.9
v1.57.0
v1.57.1
v1.57.10
v1.57.11
v1.57.2
v1.57.3
v1.57.4
v1.57.5
v1.57.7
v1.57.8
v1.58.0
v1.58.1
v1.58.2
v1.58.4
v1.59.0
v1.59.1
v1.59.2
v1.59.3
v1.59.5
v1.59.6
v1.59.7
v1.59.8
v1.7.1
v1.7.11

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-12773.json"