What happened
A weakness in BerriAI LiteLLM up to version 1.59.8 allows improper authentication in the UserAPIKeyAuth function within litellm/proxy/_experimental/mcp_server/auth/user_api_key_auth_mcp.py (MCP Proxy component). Exploitation can allow bypassing authentication controls in the MCP Proxy. CVSS 7.3 High; published 2026-06-21. A PoC has been made public via gist.
Why it matters
The LiteLLM MCP Proxy is the authentication gate for Model Context Protocol tool calls routed through LiteLLM. An authentication bypass here allows unauthenticated callers to invoke MCP-connected tools — code execution sandboxes, database connectors, web browsing tools — with no credentials, directly enabling agentic action takeover.
Attack vector
Remote unauthenticated HTTP request manipulating the UserAPIKeyAuth function in the MCP Proxy authentication path.
Affected systems
LiteLLM (BerriAI) ≤ 1.59.8 (MCP Proxy component)
Mitigation
Upgrade LiteLLM to a version beyond 1.59.8 (latest patched: ≥ 1.84.0). NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-12773; PoC: https://gist.github.com/YLChen-007/3cfaad10a69d7a15e4d4d458cb53309e