CVE-2026-59822 in litellm
Summary
by MITRE • 07/08/2026
LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. Prior to 1.84.0, LiteLLM's MCP Streamable HTTP endpoint allowed an unauthenticated attacker to use a fabricated Authorization header to trigger an OAuth2 passthrough fallback path that replaced failed LiteLLM key validation with an empty UserAPIKeyAuth() object, allowing requests to reach MCP tooling without a valid LiteLLM key. This issue is fixed in version 1.84.0.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 07/08/2026
The vulnerability in LiteLLM affects its proxy server functionality that serves as an AI Gateway for calling large language model APIs in OpenAI format. This security flaw specifically impacts the MCP Streamable HTTP endpoint and represents a critical authentication bypass issue that undermines the gateway's access control mechanisms.
The technical implementation of this vulnerability stems from inadequate validation of authentication headers within LiteLLM's authorization flow. Prior to version 1.84.0, when an attacker submitted a fabricated Authorization header, the system would attempt to process this request through an OAuth2 passthrough fallback mechanism instead of properly rejecting the invalid credentials. This fallback path contained a logic flaw where failed LiteLLM key validation resulted in the creation of an empty UserAPIKeyAuth() object, effectively allowing unauthorized access to MCP tooling functionality that should have required proper authentication.
The operational impact of this vulnerability is significant as it enables unauthenticated attackers to bypass the gateway's security controls entirely. Attackers can exploit this flaw to make unauthorized requests to MCP tools without possessing valid LiteLLM keys, potentially leading to resource exhaustion, unauthorized API usage, data leakage, and other malicious activities. The vulnerability essentially creates a backdoor path through which any attacker can access protected functionality simply by crafting a malformed authorization header.
This issue aligns with CWE-287 (Improper Authentication) and represents a classic case of insecure authentication handling where the system fails to properly validate credentials before granting access. From an ATT&CK perspective, this vulnerability maps to T1078 (Valid Accounts) and T1566 (Phishing) as it allows adversaries to leverage forged authentication mechanisms to gain unauthorized access to AI gateway resources. The vulnerability also demonstrates poor input validation practices that could lead to privilege escalation if the MCP tooling provides elevated functionality.
The fix implemented in version 1.84.0 addresses this issue by strengthening the authorization validation process to prevent the fallback mechanism from being triggered with fabricated headers. This update ensures proper authentication checks are performed before any request reaches the MCP tooling, eliminating the possibility of an empty UserAPIKeyAuth() object being created due to failed key validation. Organizations using LiteLLM should immediately upgrade to version 1.84.0 or later to mitigate this vulnerability and maintain secure access controls for their AI gateway infrastructure.