Vulnerability  ·  2026-07-10

LiteLLM MCP Streamable HTTP Endpoint Authentication Bypass via Fabricated Authorization Header

VulnerabilityHigh impactGlobalCVE-2026-59822
BerriAI disclosed and fixed CVE-2026-59822 (CVSS 8.8), an authentication bypass in LiteLLM's MCP Streamable HTTP endpoint that let unauthenticated attackers reach MCP tool-calling functionality by exploiting a flawed OAuth2 fallback path.
LiteLLM is a widely deployed AI gateway/proxy sitting in front of production LLM APIs for many organizations; an authentication bypass on its MCP endpoint could allow unauthenticated attackers to invoke arbitrary MCP tools and LLM API calls, exposing backend model access and any connected tool integrations to unauthorized use.
An unauthenticated attacker sends a fabricated Authorization header to LiteLLM's MCP Streamable HTTP endpoint, triggering an OAuth2 passthrough fallback path. When LiteLLM key validation fails, the application substitutes an empty UserAPIKeyAuth() object but still allows the request to reach MCP tooling, bypassing authentication entirely.
LiteLLM (AI Gateway / LLM proxy) prior to 1.84.0
Upgrade to LiteLLM v1.84.0, which includes this fix plus broader authentication/authorization/MCP security hardening.
Mallory.ai — LiteLLM MCP Endpoint Authentication Bypass Fixed in v1.84.0
See this in the live feed Explore related AI security and governance findings — updated every morning.
Open the feed →