AI Threat Alert

CVE-2026-12772

MEDIUM
Published June 21, 2026

A security flaw has been discovered in BerriAI litellm up to 1.82.2. This impacts the function authenticate_user of the file litellm/proxy/auth/login_utils.py of the component PROXY_ADMIN database API Key Generator. Performing a manipulation results in session expiration. The attack may be...

Full CISO analysis pending enrichment.

How severe is it?

CVSS 3.1
6.3 / 10
EPSS
N/A
Exploitation Status
No known exploitation
Sophistication
N/A

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR Low
UI None
S Unchanged
C Low
I Low
A Low

What should I do?

No patch available

Monitor for updates. Consider compensating controls or temporary mitigations.

Which compliance frameworks are affected?

Compliance analysis pending. Sign in for full compliance mapping when available.

Frequently Asked Questions

What is CVE-2026-12772?

A security flaw has been discovered in BerriAI litellm up to 1.82.2. This impacts the function authenticate_user of the file litellm/proxy/auth/login_utils.py of the component PROXY_ADMIN database API Key Generator. Performing a manipulation results in session expiration. The attack may be initiated remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure.

Is CVE-2026-12772 actively exploited?

No confirmed active exploitation of CVE-2026-12772 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-12772?

No patch is currently available. Monitor vendor advisories for updates.

What is the CVSS score for CVE-2026-12772?

CVE-2026-12772 has a CVSS v3.1 base score of 6.3 (MEDIUM).

What are the technical details?

Original Advisory

A security flaw has been discovered in BerriAI litellm up to 1.82.2. This impacts the function authenticate_user of the file litellm/proxy/auth/login_utils.py of the component PROXY_ADMIN database API Key Generator. Performing a manipulation results in session expiration. The attack may be initiated remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure.

Weaknesses (CWE)

CWE-613 Insufficient Session Expiration Primary CWE-613 Insufficient Session Expiration

CWE-613 — Insufficient Session Expiration: According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."

  • [Implementation] Set sessions/credentials expiration date.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

References

Timeline

Published
June 21, 2026
Last Modified
June 21, 2026
First Seen
June 21, 2026
Back to Threat Feed