What happened
A weakness in BerriAI LiteLLM up to version 1.82.2 allows path traversal via manipulation of the spec_path argument in the load_openapi_spec_async function of litellm/proxy/_experimental/mcp_server/openapi_to_mcp_generator.py (MCP OpenAPI Spec Loader). CVSS 6.3 Medium; published 2026-06-21.
Why it matters
The MCP OpenAPI Spec Loader converts OpenAPI specs into MCP tools callable by LLM agents. A path-traversal flaw in spec_path allows an attacker to make LiteLLM load arbitrary files from the server filesystem as OpenAPI specs, potentially exposing secrets or causing unexpected tool registration.
Attack vector
Attacker supplies a crafted spec_path argument containing path traversal sequences to the load_openapi_spec_async function.
Affected systems
LiteLLM (BerriAI) ≤ 1.82.2 (MCP OpenAPI Spec Loader component)
Mitigation
Upgrade LiteLLM to ≥ 1.84.0. NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-12798