CVE-2026-12795: LiteLLM auth bypass — HIGH

CISO Take

CVE-2026-12795 is an authentication bypass in BerriAI litellm's SSO debug flow (up to v1.82.2), where the json.dumps handler in ui_sso.py is reachable without any credentials, exposing administrative SSO functionality over the network with zero privileges and zero user interaction required. LiteLLM is a widely deployed LLM proxy/gateway used by organizations to centralize access to multiple AI providers simultaneously — a successful exploit gives an attacker a single pivot point into all upstream LLM APIs and the API keys used to authenticate them, meaning one unauthenticated HTTP request can unlock OpenAI, Anthropic, Azure OpenAI, and other provider credentials in one shot. With a public exploit already disclosed on GitHub and a CVSS of 7.3, the window before commodity exploitation narrows to days for any internet-facing or VPN-accessible litellm instance. Patch immediately to a version beyond 1.82.2, block SSO debug paths at the reverse proxy layer as an interim control, and treat all LLM provider API keys stored in the configuration as compromised if the instance had any external exposure.

Sources: NVD ATLAS GitHub Advisory

What is the risk?

HIGH. All prerequisites for mass automated exploitation are met: network-accessible, low attack complexity, no privileges required, no user interaction needed, and a public PoC already on GitHub. LiteLLM commonly runs in internal AI platforms and developer portals with access to high-value LLM API credentials spanning multiple providers — the blast radius per compromised instance is unusually wide. While not yet in CISA KEV, the trivial exploitability and public disclosure make opportunistic scanning near-certain within days. The AI/ML category (llm_inference) and gateway role of litellm amplify impact beyond a single service.

How does the attack unfold?

Discovery

Attacker scans internet or internal network for exposed litellm proxy instances on common ports (4000, 8000) and identifies SSO-enabled deployments via HTTP fingerprinting or public endpoint enumeration.

AML.T0006

Initial Access

Attacker sends an unauthenticated HTTP request to the SSO debug flow endpoint in ui_sso.py, bypassing authentication entirely due to the missing auth gate on the json.dumps handler.

AML.T0049

Credential Harvesting

The unprotected debug response leaks SSO configuration, session tokens, or LLM provider API keys stored in the litellm proxy, giving the attacker credentials for all connected AI providers.

AML.T0106

Impact

Attacker uses harvested LLM API credentials externally to make unauthorized inference requests across all connected providers, incurring financial costs on the victim's accounts and accessing sensitive prompt and response history.

AML.T0034

Discovery

Attacker scans internet or internal network for exposed litellm proxy instances on common ports (4000, 8000) and identifies SSO-enabled deployments via HTTP fingerprinting or public endpoint enumeration.

AML.T0006

Initial Access

Attacker sends an unauthenticated HTTP request to the SSO debug flow endpoint in ui_sso.py, bypassing authentication entirely due to the missing auth gate on the json.dumps handler.

AML.T0049

Credential Harvesting

The unprotected debug response leaks SSO configuration, session tokens, or LLM provider API keys stored in the litellm proxy, giving the attacker credentials for all connected AI providers.

AML.T0106

Impact

Attacker uses harvested LLM API credentials externally to make unauthorized inference requests across all connected providers, incurring financial costs on the victim's accounts and accessing sensitive prompt and response history.

AML.T0034

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
LiteLLM	pip	—	No patch
51.0K OpenSSF 6.1 6 dependents Pushed today 36% patched ~41d to patch Full package profile →

Do you use LiteLLM? You're affected.

How severe is it?

CVSS 3.1

7.3 / 10

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Trivial

What is the attack surface?

AV Network

AC Low

PR None

UI None

S Unchanged

C Low

I Low

A Low

What should I do?

5 steps

Patch immediately: upgrade litellm beyond version 1.82.2 — review the vendor GitHub releases and changelog for the specific fix commit targeting ui_sso.py.
Interim control until patched: block external and internal access to SSO debug paths (e.g., /ui/sso, any debug parameter on SSO endpoints) at the reverse proxy (Nginx, Caddy, or Traefik rule).
Rotate all LLM provider API keys stored in the litellm configuration — treat them as compromised if the instance had any network exposure during the vulnerable window.
Audit proxy logs for unauthenticated or anomalous requests to ui_sso.py endpoints — look for 200 responses to requests with no Authorization header.
Confirm that litellm is not directly internet-facing; it should sit behind an authenticated reverse proxy or VPN with network-level access controls.

How is it classified?

Auth Bypass Data Extraction Code Execution Inference API Framework AML.T0034 - Cost Harvesting AML.T0040 - AI Model Inference API Access AML.T0049 - Exploit Public-Facing Application AML.T0055 - Unsecured Credentials AML.T0106 - Exploitation for Credential Access

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Art. 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.2.6 - Security of AI system development and operation

NIST AI RMF

GOVERN 6.1 - Policies and procedures for managing AI system risks

OWASP LLM Top 10

LLM06 - Sensitive Information Disclosure

Frequently Asked Questions

What is CVE-2026-12795?

CVE-2026-12795 is an authentication bypass in BerriAI litellm's SSO debug flow (up to v1.82.2), where the json.dumps handler in ui_sso.py is reachable without any credentials, exposing administrative SSO functionality over the network with zero privileges and zero user interaction required. LiteLLM is a widely deployed LLM proxy/gateway used by organizations to centralize access to multiple AI providers simultaneously — a successful exploit gives an attacker a single pivot point into all upstream LLM APIs and the API keys used to authenticate them, meaning one unauthenticated HTTP request can unlock OpenAI, Anthropic, Azure OpenAI, and other provider credentials in one shot. With a public exploit already disclosed on GitHub and a CVSS of 7.3, the window before commodity exploitation narrows to days for any internet-facing or VPN-accessible litellm instance. Patch immediately to a version beyond 1.82.2, block SSO debug paths at the reverse proxy layer as an interim control, and treat all LLM provider API keys stored in the configuration as compromised if the instance had any external exposure.

Is CVE-2026-12795 actively exploited?

No confirmed active exploitation of CVE-2026-12795 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-12795?

1. Patch immediately: upgrade litellm beyond version 1.82.2 — review the vendor GitHub releases and changelog for the specific fix commit targeting ui_sso.py. 2. Interim control until patched: block external and internal access to SSO debug paths (e.g., /ui/sso, any debug parameter on SSO endpoints) at the reverse proxy (Nginx, Caddy, or Traefik rule). 3. Rotate all LLM provider API keys stored in the litellm configuration — treat them as compromised if the instance had any network exposure during the vulnerable window. 4. Audit proxy logs for unauthenticated or anomalous requests to ui_sso.py endpoints — look for 200 responses to requests with no Authorization header. 5. Confirm that litellm is not directly internet-facing; it should sit behind an authenticated reverse proxy or VPN with network-level access controls.

What systems are affected by CVE-2026-12795?

This vulnerability affects the following AI/ML architecture patterns: LLM proxy and API gateway deployments, AI platform internal portals with SSO integration, MLOps environments using litellm as multi-provider aggregator, Agent frameworks and agentic pipelines routing through litellm, Multi-provider LLM routing infrastructure.

What is the CVSS score for CVE-2026-12795?

CVE-2026-12795 has a CVSS v3.1 base score of 7.3 (HIGH).

What is the AI security impact?

Affected AI Architectures

LLM proxy and API gateway deploymentsAI platform internal portals with SSO integrationMLOps environments using litellm as multi-provider aggregatorAgent frameworks and agentic pipelines routing through litellmMulti-provider LLM routing infrastructure

MITRE ATLAS Techniques

AML.T0034 Cost Harvesting

AML.T0040 AI Model Inference API Access

AML.T0049 Exploit Public-Facing Application

AML.T0055 Unsecured Credentials

AML.T0106 Exploitation for Credential Access

Compliance Controls Affected

EU AI Act: Art. 15

ISO 42001: A.6.2.6

NIST AI RMF: GOVERN 6.1

OWASP LLM Top 10: LLM06

What are the technical details?

Original Advisory

A vulnerability was determined in BerriAI litellm up to 1.82.2. This affects the function json.dumps of the file litellm/proxy/management_endpoints/ui_sso.py of the component SSO Debug Flow. Executing a manipulation can lead to missing authentication. The attack can be executed remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure.

Exploitation Scenario

An adversary scans the internet or internal corporate network for litellm proxy instances (common ports 4000, 8000) using HTTP fingerprinting. Upon identifying an SSO-enabled deployment, the attacker sends a crafted unauthenticated HTTP request to the SSO debug flow endpoint in ui_sso.py, triggering the vulnerable json.dumps handler. The debug response returns SSO configuration data, session-related tokens, or internal user identity information — all without requiring any credentials. Using the leaked tokens or SSO artifacts, the attacker escalates access to the litellm management API, from which they extract stored LLM provider API keys (OpenAI, Anthropic, Azure, etc.). These keys are then used externally to make unauthorized inference requests on the victim's paid accounts, incurring costs and potentially accessing sensitive prompt and completion history stored in the proxy's request logs.

Weaknesses (CWE)

CWE-287 Improper Authentication Primary CWE-306 Missing Authentication for Critical Function Primary CWE-287 Improper Authentication CWE-306 Missing Authentication for Critical Function

CWE-287 — Improper Authentication: When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.