CVE-2026-12796: LiteLLM SSO session expiration

CISO Take

CVE-2026-12796 is an insufficient session expiration flaw (CWE-613) in litellm's OpenID Connect SSO handler, allowing a low-privileged remote attacker to reuse session tokens beyond their intended validity window via the proxy management UI. For teams running litellm as a centralized LLM gateway — a common enterprise pattern that routes traffic to OpenAI, Anthropic, Azure OpenAI, and other providers — this means an attacker who authenticates once can persist access to management endpoints long after logout or policy-mandated expiry, potentially exposing provider API keys and model routing configuration. A public proof-of-concept is already available and the package carries 32 prior CVEs with an OpenSSF score of 6.1/10, signaling systemic security debt that raises confidence in real-world exploitability. Immediately restrict network access to litellm's `/management/*` endpoints to trusted IP ranges and enforce session timeouts at the reverse proxy layer; upgrade to a patched release once one is confirmed upstream.

Sources: NVD VulnDB OpenSSF ATLAS CVSS CWE

What is the risk?

Although the CVSS base score is 6.3 (Medium), the operational risk is elevated by three factors: a public proof-of-concept exploit lowers the attacker skill bar to trivial, litellm proxies commonly hold provider API keys with broad spending authority, and the low attack complexity with no user interaction required means automation of the attack is straightforward. The unchanged scope limits blast radius to the litellm process itself, but in gateway deployments that process is the chokepoint for all LLM access in the organization. The 32-CVE history of this package and 6.1/10 OpenSSF Scorecard score suggest insufficient security review cadence, making additional undiscovered issues plausible.

How does the attack unfold?

Initial Access

Attacker authenticates to the litellm proxy management UI using low-privilege SSO credentials obtained through credential reuse or phishing.

AML.T0012

Exploitation

Attacker exploits CWE-613 in `get_redirect_response_from_openid` by reusing the session token hours or days after it should have expired, maintaining authenticated access without re-authentication.

AML.T0049

Credential Access

With persistent session access, attacker enumerates management endpoints to extract stored LLM provider API keys (OpenAI, Anthropic, Azure) and virtual key configurations.

AML.T0091.000

Impact

Attacker monetizes stolen provider API keys for unauthorized model access, modifies routing to intercept LLM traffic, or escalates to broader infrastructure compromise via the management interface.

AML.T0085.001

Initial Access

Attacker authenticates to the litellm proxy management UI using low-privilege SSO credentials obtained through credential reuse or phishing.

AML.T0012

Exploitation

Attacker exploits CWE-613 in `get_redirect_response_from_openid` by reusing the session token hours or days after it should have expired, maintaining authenticated access without re-authentication.

AML.T0049

Credential Access

With persistent session access, attacker enumerates management endpoints to extract stored LLM provider API keys (OpenAI, Anthropic, Azure) and virtual key configurations.

AML.T0091.000

Impact

Attacker monetizes stolen provider API keys for unauthorized model access, modifies routing to intercept LLM traffic, or escalates to broader infrastructure compromise via the management interface.

AML.T0085.001

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
LiteLLM	pip	—	No patch
51.0K OpenSSF 6.1 6 dependents Pushed today 36% patched ~41d to patch Full package profile →

Do you use LiteLLM? You're affected.

How severe is it?

CVSS 3.1

6.3 / 10

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Trivial

What is the attack surface?

AV Network

AC Low

PR Low

UI None

S Unchanged

C Low

I Low

A Low

What should I do?

6 steps

Upgrade litellm beyond 1.82.2 as soon as a patched release is published; monitor the BerriAI GitHub releases page.
As an immediate workaround, enforce hard session timeouts (≤8 hours) at the reverse proxy or load balancer layer in front of litellm's management UI, independently of the application-layer session logic.
Disable SSO/OpenID Connect for the litellm admin interface if it is not operationally required; fall back to API key authentication with short-lived keys.
Restrict network access to the /management/* and /ui/* endpoint paths to trusted internal IP ranges via firewall or Caddy/nginx ACLs.
Audit authentication logs for session tokens with abnormally long active durations or reuse after expected logout events.
Rotate all provider API keys (OpenAI, Anthropic, Azure, etc.) stored in the litellm proxy as a precaution if session logs show any anomalous access.

How is it classified?

Auth Bypass Data Extraction Inference API AML.T0012 - Valid Accounts AML.T0049 - Exploit Public-Facing Application AML.T0085.001 - AI Agent Tools AML.T0091.000 - Application Access Token

Which compliance frameworks are affected?

This CVE is relevant to:

ISO 42001

A.9.4 - System and application access control

NIST AI RMF

GOVERN 1.2 - Accountability MANAGE 2.2 - Risk monitoring and mitigation

OWASP LLM Top 10

LLM07 - Insecure Plugin Design

Frequently Asked Questions

What is CVE-2026-12796?

CVE-2026-12796 is an insufficient session expiration flaw (CWE-613) in litellm's OpenID Connect SSO handler, allowing a low-privileged remote attacker to reuse session tokens beyond their intended validity window via the proxy management UI. For teams running litellm as a centralized LLM gateway — a common enterprise pattern that routes traffic to OpenAI, Anthropic, Azure OpenAI, and other providers — this means an attacker who authenticates once can persist access to management endpoints long after logout or policy-mandated expiry, potentially exposing provider API keys and model routing configuration. A public proof-of-concept is already available and the package carries 32 prior CVEs with an OpenSSF score of 6.1/10, signaling systemic security debt that raises confidence in real-world exploitability. Immediately restrict network access to litellm's `/management/*` endpoints to trusted IP ranges and enforce session timeouts at the reverse proxy layer; upgrade to a patched release once one is confirmed upstream.

Is CVE-2026-12796 actively exploited?

No confirmed active exploitation of CVE-2026-12796 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-12796?

1. Upgrade litellm beyond 1.82.2 as soon as a patched release is published; monitor the BerriAI GitHub releases page. 2. As an immediate workaround, enforce hard session timeouts (≤8 hours) at the reverse proxy or load balancer layer in front of litellm's management UI, independently of the application-layer session logic. 3. Disable SSO/OpenID Connect for the litellm admin interface if it is not operationally required; fall back to API key authentication with short-lived keys. 4. Restrict network access to the `/management/*` and `/ui/*` endpoint paths to trusted internal IP ranges via firewall or Caddy/nginx ACLs. 5. Audit authentication logs for session tokens with abnormally long active durations or reuse after expected logout events. 6. Rotate all provider API keys (OpenAI, Anthropic, Azure, etc.) stored in the litellm proxy as a precaution if session logs show any anomalous access.

What systems are affected by CVE-2026-12796?

This vulnerability affects the following AI/ML architecture patterns: LLM proxy gateways, model serving, SSO-integrated LLM infrastructure, enterprise LLM management platforms, multi-provider LLM routing layers.

What is the CVSS score for CVE-2026-12796?

CVE-2026-12796 has a CVSS v3.1 base score of 6.3 (MEDIUM).

What is the AI security impact?

Affected AI Architectures

LLM proxy gatewaysmodel servingSSO-integrated LLM infrastructureenterprise LLM management platformsmulti-provider LLM routing layers

MITRE ATLAS Techniques

AML.T0012 Valid Accounts

AML.T0049 Exploit Public-Facing Application

AML.T0085.001 AI Agent Tools

AML.T0091.000 Application Access Token

Compliance Controls Affected

ISO 42001: A.9.4

NIST AI RMF: GOVERN 1.2, MANAGE 2.2

OWASP LLM Top 10: LLM07

What are the technical details?

Original Advisory

A vulnerability was identified in BerriAI litellm up to 1.82.2. This impacts the function get_redirect_response_from_openid of the file litellm/proxy/management_endpoints/ui_sso.py of the component SSO Authentication Flow. The manipulation leads to session expiration. The attack is possible to be carried out remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure.

Exploitation Scenario

An attacker with low-privilege credentials — obtained via phishing, credential stuffing, or a shared test account — authenticates to the litellm proxy management UI through the SSO flow. The `get_redirect_response_from_openid` function issues a session token but fails to enforce expiration correctly. The attacker intentionally does not log out and revisits the management interface 24-48 hours later using the original session token, which remains valid due to CWE-613. With persistent access to the management UI, the attacker enumerates virtual keys, extracts stored provider API credentials, and modifies model routing to proxy traffic through an attacker-controlled endpoint — achieving both credential theft and ongoing model traffic interception with no re-authentication required.

Weaknesses (CWE)

CWE-613 Insufficient Session Expiration Primary CWE-613 Insufficient Session Expiration

CWE-613 — Insufficient Session Expiration: According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."