What happened
A security vulnerability in BerriAI LiteLLM up to version 1.82.2 allows Server-Side Request Forgery (SSRF) via manipulation of the _execute_with_mcp_client function in litellm/proxy/_experimental/mcp_server/rest_endpoints.py (MCP Server Connection Testing component). CVSS 6.3 Medium; published 2026-06-21.
Why it matters
SSRF in an LLM gateway's MCP Server Connection Testing endpoint allows attackers to pivot from the LiteLLM proxy to internal network services — cloud metadata endpoints (169.254.169.254), internal databases, or other MCP servers — by causing the proxy to make arbitrary outbound connections on the attacker's behalf.
Attack vector
Remote attacker sends a crafted request to the MCP Server Connection Testing endpoint, causing the server to make arbitrary outbound HTTP requests to internal or external targets.
Affected systems
LiteLLM (BerriAI) ≤ 1.82.2 (MCP Server Connection Testing component)
Mitigation
Upgrade LiteLLM to ≥ 1.84.0. NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-12774