CVE-2026-12799: LiteLLM authorization bypass

CISO Take

CVE-2026-12799 is an incomplete fix for CVE-2025-0628 — the `ui_view_users` management endpoint in litellm ≤1.82.2 still allows any low-privileged authenticated user to enumerate the full internal user list, a capability that should be admin-only. While the CVSS score is 4.3 (Medium) with confidentiality-only impact, litellm commonly functions as the central API gateway routing traffic to OpenAI, Anthropic, Azure, and Bedrock, making user enumeration a meaningful stepping stone toward targeted credential theft against other platform consumers. A public exploit is already available (CVSS E:P), this package carries 32 prior CVEs with an OpenSSF score of 6.1/10, and 6 downstream packages inherit this exposure. Upgrade beyond 1.82.2 once a patch is confirmed, and immediately restrict the `/ui/users` endpoint to admin-only at the reverse proxy layer as a compensating control.

Sources: NVD OpenSSF ATLAS VulnDB

What is the risk?

Medium risk overall, elevated in multi-tenant LLM gateway deployments. The exploit requires only low privileges — any authenticated API consumer can trigger it without specialized knowledge given the public proof-of-concept. Blast radius is confidentiality-only (no integrity or availability impact), but litellm's role as an LLM proxy concentrates API access for multiple providers and users, making user enumeration disproportionately valuable. The pattern of 32 CVEs in this package, including a prior incomplete fix for the same authorization flaw, signals structural weaknesses in authorization enforcement rather than an isolated regression.

How does the attack unfold?

Initial Access

Attacker authenticates to the litellm proxy with any valid low-privilege API key or user account, a barrier requiring no special privileges or skills given the low-friction account creation model common in LLM proxy deployments.

AML.T0012

Exploitation

Attacker calls the `ui_view_users` management endpoint directly; the incomplete authorization check — a remnant of the failed CVE-2025-0628 patch — fails to block the low-privilege request and returns a 200 response.

AML.T0049

Reconnaissance

Attacker receives the full internal user roster including usernames, roles, and API key metadata for all platform consumers, mapping the organization's LLM API access surface.

AML.T0087

Impact

Attacker leverages the enumerated user list to target high-privilege accounts via credential stuffing or spearphishing, escalating toward full LLM gateway compromise with access to all configured provider API keys.

AML.T0040

Initial Access

Attacker authenticates to the litellm proxy with any valid low-privilege API key or user account, a barrier requiring no special privileges or skills given the low-friction account creation model common in LLM proxy deployments.

AML.T0012

Exploitation

Attacker calls the `ui_view_users` management endpoint directly; the incomplete authorization check — a remnant of the failed CVE-2025-0628 patch — fails to block the low-privilege request and returns a 200 response.

AML.T0049

Reconnaissance

Attacker receives the full internal user roster including usernames, roles, and API key metadata for all platform consumers, mapping the organization's LLM API access surface.

AML.T0087

Impact

Attacker leverages the enumerated user list to target high-privilege accounts via credential stuffing or spearphishing, escalating toward full LLM gateway compromise with access to all configured provider API keys.

AML.T0040

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
LiteLLM	pip	—	No patch
51.0K OpenSSF 6.1 6 dependents Pushed today 36% patched ~41d to patch Full package profile →

Do you use LiteLLM? You're affected.

How severe is it?

CVSS 3.1

4.3 / 10

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Trivial

What is the attack surface?

AV Network

AC Low

PR Low

UI None

S Unchanged

C Low

I None

A None

What should I do?

5 steps

Upgrade litellm beyond 1.82.2 once a patched release is confirmed — monitor the upstream changelog and VulnDB entry vuln/372561 for patch confirmation.
As an immediate compensating control, restrict the /ui/users and /internal/user management endpoints to admin IPs or roles at the reverse proxy layer (nginx, Caddy, Traefik).
Audit access logs for unexpected 200 responses to user-listing endpoints from non-admin API keys — focus on the past 30 days given the public exploit availability.
Rotate API keys for users in multi-tenant litellm deployments where enumeration may have already occurred.
Treat the OpenSSF score of 6.1/10 as a prompt for a broader supply chain review of this dependency.

How is it classified?

Auth Bypass Data Extraction API Inference AML.T0012 - Valid Accounts AML.T0040 - AI Model Inference API Access AML.T0049 - Exploit Public-Facing Application AML.T0087 - Gather Victim Identity Information

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 9 - Risk management system

ISO 42001

A.8.4 - Access control to AI systems

NIST AI RMF

MANAGE 2.2 - Mechanisms to sustain value of deployed AI systems

OWASP LLM Top 10

LLM06 - Excessive Agency

Frequently Asked Questions

What is CVE-2026-12799?

CVE-2026-12799 is an incomplete fix for CVE-2025-0628 — the `ui_view_users` management endpoint in litellm ≤1.82.2 still allows any low-privileged authenticated user to enumerate the full internal user list, a capability that should be admin-only. While the CVSS score is 4.3 (Medium) with confidentiality-only impact, litellm commonly functions as the central API gateway routing traffic to OpenAI, Anthropic, Azure, and Bedrock, making user enumeration a meaningful stepping stone toward targeted credential theft against other platform consumers. A public exploit is already available (CVSS E:P), this package carries 32 prior CVEs with an OpenSSF score of 6.1/10, and 6 downstream packages inherit this exposure. Upgrade beyond 1.82.2 once a patch is confirmed, and immediately restrict the `/ui/users` endpoint to admin-only at the reverse proxy layer as a compensating control.

Is CVE-2026-12799 actively exploited?

No confirmed active exploitation of CVE-2026-12799 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-12799?

1. Upgrade litellm beyond 1.82.2 once a patched release is confirmed — monitor the upstream changelog and VulnDB entry vuln/372561 for patch confirmation. 2. As an immediate compensating control, restrict the `/ui/users` and `/internal/user` management endpoints to admin IPs or roles at the reverse proxy layer (nginx, Caddy, Traefik). 3. Audit access logs for unexpected 200 responses to user-listing endpoints from non-admin API keys — focus on the past 30 days given the public exploit availability. 4. Rotate API keys for users in multi-tenant litellm deployments where enumeration may have already occurred. 5. Treat the OpenSSF score of 6.1/10 as a prompt for a broader supply chain review of this dependency.

What systems are affected by CVE-2026-12799?

This vulnerability affects the following AI/ML architecture patterns: LLM proxy / API gateway, Multi-tenant AI platforms, LLM inference serving.

What is the CVSS score for CVE-2026-12799?

CVE-2026-12799 has a CVSS v3.1 base score of 4.3 (MEDIUM).

What is the AI security impact?

Affected AI Architectures

LLM proxy / API gatewayMulti-tenant AI platformsLLM inference serving

MITRE ATLAS Techniques

AML.T0012 Valid Accounts

AML.T0040 AI Model Inference API Access

AML.T0049 Exploit Public-Facing Application

AML.T0087 Gather Victim Identity Information

Compliance Controls Affected

EU AI Act: Article 9

ISO 42001: A.8.4

NIST AI RMF: MANAGE 2.2

OWASP LLM Top 10: LLM06

What are the technical details?

Original Advisory

A security vulnerability has been detected in BerriAI litellm up to 1.82.2. Affected by this issue is the function ui_view_users of the file litellm/proxy/management_endpoints/internal_user_endpoints.py of the component Incomplete Fix CVE-2025-0628. Such manipulation leads to improper authorization. It is possible to launch the attack remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure.

Exploitation Scenario

An attacker with a legitimate but low-privilege litellm API key — obtained via a trial account, a leaked key from a public repository, or a compromised team member — authenticates to the litellm proxy management UI. They call the `ui_view_users` endpoint directly using the public exploit, bypassing the incomplete authorization check inherited from CVE-2025-0628's inadequate patch. The response returns the internal user list with usernames, roles, and potentially API key prefixes or metadata. The attacker maps the organization's AI platform users, then targets high-privilege accounts — such as admins with keys to multiple LLM providers — via spearphishing or credential stuffing, escalating from low-privilege user enumeration to full LLM gateway compromise.

Weaknesses (CWE)

CWE-266 Incorrect Privilege Assignment Primary CWE-285 Improper Authorization Primary CWE-266 Incorrect Privilege Assignment CWE-285 Improper Authorization

CWE-266 — Incorrect Privilege Assignment: A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.

[Architecture and Design, Operation] Very carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software.
[Architecture and Design, Operation] Run your code using the lowest privileges that are required to accomplish the necessary tasks [REF-76]. If possible, create isolated accounts with limited privileges that are only used for a single task. That way, a successful attack will not immediately give the attacker access to the rest of the software or its environment. For example, database applications rarely need to run as the database administrator, especially in day-to-day operations.

Source: MITRE CWE corpus.