AI Threat Alert

CVE-2026-12798: litellm: SSRF in MCP OpenAPI spec loader endpoint

MEDIUM
Published June 21, 2026
CISO Take

CVE-2026-12798 is a Server-Side Request Forgery vulnerability in litellm's experimental MCP server component, where the `load_openapi_spec_async` function accepts an unalidated user-controlled `spec_path` argument that the server fetches verbatim, allowing any authenticated caller to redirect the proxy to arbitrary internal or external URLs. LiteLLM is widely deployed as an LLM gateway unifying access to multiple AI backends, meaning SSRF here can expose cloud metadata services (AWS IMDSv1 at 169.254.169.254), internal APIs, and adjacent microservices not reachable from the internet—turning a CVSS 6.3 into a realistic path to cloud credential theft and lateral movement. A public proof-of-concept exploit is already live on GitHub, reducing exploitation to a script-kiddie-level operation for anyone with a valid API key. Organizations running litellm ≤1.82.2 with the MCP server enabled should upgrade immediately; as a workaround, disable the experimental MCP endpoint and enforce IMDSv2-only on cloud hosts to block metadata SSRF.

Sources: NVD VulDB ATLAS OpenSSF

What is the risk?

Rated medium by CVSS (6.3) but practical risk is elevated by three factors: public PoC exploit on GitHub lowers the skill bar to near zero; only low privileges are required, meaning any compromised or trial API key is sufficient; and SSRF in cloud-hosted LLM proxies routinely chains into cloud IAM credential theft regardless of the 'L' impact ratings. LiteLLM's track record of 32 prior CVEs and an OpenSSF score of 6.1/10 indicates systemic security debt. The experimental flag on the affected component may limit surface area in hardened deployments, but many operators enable experimental features without fully scoping the attack surface.

How does the attack unfold?

Initial Access
Attacker obtains a low-privilege litellm API key via credential theft, phishing, or as a legitimate user of a shared LLM gateway.
AML.T0012
SSRF Trigger
Attacker calls the MCP server's OpenAPI spec loader endpoint with spec_path set to an internal URL (cloud metadata service, internal API, or intranet host).
AML.T0049
Internal Reconnaissance
The litellm server fetches the attacker-specified URL server-side and returns the response, exposing cloud IAM credentials, internal API tokens, or microservice data.
AML.T0085.001
Credential Theft and Lateral Movement
Attacker uses harvested cloud credentials or tokens to escalate privileges, access storage, or move laterally across the cloud account beyond the AI system boundary.
AML.T0025

What systems are affected?

Package Ecosystem Vulnerable Range Patched
LiteLLM pip No patch
51.0K OpenSSF 6.1 6 dependents Pushed today 36% patched ~41d to patch Full package profile →

Do you use LiteLLM? You're affected.

How severe is it?

CVSS 3.1
6.3 / 10
EPSS
N/A
Exploitation Status
No known exploitation
Sophistication
Trivial

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR Low
UI None
S Unchanged
C Low
I Low
A Low

What should I do?

5 steps

  1. PATCH

    Upgrade litellm beyond 1.82.2 once a patched release is available; monitor github.com/BerriAI/litellm releases.

  2. DISABLE

    If the experimental MCP server is not required, disable it via configuration or remove the mcp_server experimental feature flag.

  3. NETWORK EGRESS

    Block outbound requests from the litellm process to 169.254.0.0/16, 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16; enforce IMDSv2-only on AWS instances to neutralize metadata SSRF.

  4. AUTHZ

    Restrict MCP OpenAPI spec loading to privileged roles only; treat spec_path ingestion as an admin operation.

  5. DETECT

    Alert on litellm process egress to cloud metadata ranges or RFC1918 addresses; monitor for 169.254.169.254 or internal hostname resolution in proxy logs.

How is it classified?

Data Extraction Auth Bypass Supply Chain Inference Agent Plugin AML.T0010.001 AML.T0049 AML.T0053 AML.T0085.001

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Article 9 - Risk management system
ISO 42001
A.6.1.2 - AI system security requirements
NIST AI RMF
GOVERN 1.7 - Processes and procedures for AI risk management
OWASP LLM Top 10
LLM07 - Insecure Plugin Design

Frequently Asked Questions

What is CVE-2026-12798?

CVE-2026-12798 is a Server-Side Request Forgery vulnerability in litellm's experimental MCP server component, where the `load_openapi_spec_async` function accepts an unalidated user-controlled `spec_path` argument that the server fetches verbatim, allowing any authenticated caller to redirect the proxy to arbitrary internal or external URLs. LiteLLM is widely deployed as an LLM gateway unifying access to multiple AI backends, meaning SSRF here can expose cloud metadata services (AWS IMDSv1 at 169.254.169.254), internal APIs, and adjacent microservices not reachable from the internet—turning a CVSS 6.3 into a realistic path to cloud credential theft and lateral movement. A public proof-of-concept exploit is already live on GitHub, reducing exploitation to a script-kiddie-level operation for anyone with a valid API key. Organizations running litellm ≤1.82.2 with the MCP server enabled should upgrade immediately; as a workaround, disable the experimental MCP endpoint and enforce IMDSv2-only on cloud hosts to block metadata SSRF.

Is CVE-2026-12798 actively exploited?

No confirmed active exploitation of CVE-2026-12798 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-12798?

1. PATCH: Upgrade litellm beyond 1.82.2 once a patched release is available; monitor github.com/BerriAI/litellm releases. 2. DISABLE: If the experimental MCP server is not required, disable it via configuration or remove the mcp_server experimental feature flag. 3. NETWORK EGRESS: Block outbound requests from the litellm process to 169.254.0.0/16, 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16; enforce IMDSv2-only on AWS instances to neutralize metadata SSRF. 4. AUTHZ: Restrict MCP OpenAPI spec loading to privileged roles only; treat spec_path ingestion as an admin operation. 5. DETECT: Alert on litellm process egress to cloud metadata ranges or RFC1918 addresses; monitor for 169.254.169.254 or internal hostname resolution in proxy logs.

What systems are affected by CVE-2026-12798?

This vulnerability affects the following AI/ML architecture patterns: LLM proxy and gateway deployments, AI agent frameworks using litellm as backend, MCP server integrations, Multi-tenant enterprise LLM routers, Cloud-hosted AI inference pipelines.

What is the CVSS score for CVE-2026-12798?

CVE-2026-12798 has a CVSS v3.1 base score of 6.3 (MEDIUM).

What is the AI security impact?

Affected AI Architectures

LLM proxy and gateway deploymentsAI agent frameworks using litellm as backendMCP server integrationsMulti-tenant enterprise LLM routersCloud-hosted AI inference pipelines

MITRE ATLAS Techniques

AML.T0010.001 AI Software
AML.T0049 Exploit Public-Facing Application
AML.T0053 AI Agent Tool Invocation
AML.T0085.001 AI Agent Tools

Compliance Controls Affected

EU AI Act: Article 9
ISO 42001: A.6.1.2
NIST AI RMF: GOVERN 1.7
OWASP LLM Top 10: LLM07

What are the technical details?

Original Advisory

A weakness has been identified in BerriAI litellm up to 1.82.2. Affected by this vulnerability is the function load_openapi_spec_async of the file litellm/proxy/_experimental/mcp_server/openapi_to_mcp_generator.py of the component MCP OpenAPI Spec Loader. This manipulation of the argument spec_path causes server-side request forgery. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure.

Exploitation Scenario

An adversary with a low-privilege litellm API key—obtained via phishing, credential stuffing, or as a compromised internal user—calls the MCP server's OpenAPI spec loader with spec_path set to http://169.254.169.254/latest/meta-data/iam/security-credentials/ on an AWS-hosted deployment. LiteLLM fetches this URL server-side and returns the cloud IAM temporary credentials in the response body. The attacker uses those credentials to enumerate S3 buckets, read secrets from AWS Secrets Manager, or assume higher-privilege roles—pivoting from a scoped LLM API key to broad cloud infrastructure control. The public GitHub gist reduces this entire chain to a copy-paste operation.

Weaknesses (CWE)

CWE-918 Server-Side Request Forgery (SSRF) Primary CWE-918 Server-Side Request Forgery (SSRF)

CWE-918 — Server-Side Request Forgery (SSRF): The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

References

Timeline

Published
June 21, 2026
Last Modified
June 21, 2026
First Seen
June 21, 2026

Related Vulnerabilities

CRITICAL CVE-2026-42208 9.8

LiteLLM: SQL injection exposes LLM API credentials

Same package: litellm
CRITICAL CVE-2026-35030 9.1

LiteLLM: auth bypass via JWT cache key collision

Same package: litellm
HIGH CVE-2024-6825 8.8

LiteLLM: RCE via post_call_rules callback injection

Same package: litellm
HIGH CVE-2026-40217 8.8

LiteLLM: RCE via bytecode rewriting in guardrails API

Same package: litellm
HIGH CVE-2026-42203 8.8

LiteLLM: SSTI in prompt template endpoint enables RCE

Same package: litellm
Back to Threat Feed