What happened
BerriAI disclosed and fixed CVE-2026-59822 (CVSS 8.8), an authentication bypass in LiteLLM's MCP Streamable HTTP endpoint that let unauthenticated attackers reach MCP tool-calling functionality by exploiting a flawed OAuth2 fallback path.
Why it matters
LiteLLM is a widely deployed AI gateway/proxy sitting in front of production LLM APIs for many organizations; an authentication bypass on its MCP endpoint could allow unauthenticated attackers to invoke arbitrary MCP tools and LLM API calls, exposing backend model access and any connected tool integrations to unauthorized use.
Attack vector
An unauthenticated attacker sends a fabricated Authorization header to LiteLLM's MCP Streamable HTTP endpoint, triggering an OAuth2 passthrough fallback path. When LiteLLM key validation fails, the application substitutes an empty UserAPIKeyAuth() object but still allows the request to reach MCP tooling, bypassing authentication entirely.
Affected systems
LiteLLM (AI Gateway / LLM proxy) prior to 1.84.0
Mitigation
Upgrade to LiteLLM v1.84.0, which includes this fix plus broader authentication/authorization/MCP security hardening.