Executive Summary

CVE-2026-12773 is a critical authentication bypass vulnerability in the LiteLLM Model Context Protocol (MCP) proxy module, specifically in the UserAPIKeyAuth function of the MCP Proxy component.

The issue arises because the authentication logic improperly handles HTTPException errors (401/403) during API key validation by ignoring these errors and allowing the request to proceed as if authenticated.

This flaw allows an attacker to send requests with invalid or no authentication tokens and still gain unauthorized access to backend MCP servers configured with `allow_all_keys: true`.

As a result, attackers can bypass authentication controls remotely and interact with protected resources or tools without valid credentials.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have severe impacts including unauthorized access to sensitive backend MCP servers.

• Attackers can steal sensitive data.
• They may execute sensitive tools that should be protected.
• There is potential for Remote Code Execution (RCE), allowing attackers to run arbitrary code on the server.

Because the authentication bypass is remote and requires no privileges or user interaction, it poses a critical risk to affected systems.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by attempting to send unauthenticated JSON-RPC requests to the MCP endpoint with an arbitrary invalid Authorization header. If the server responds with a 200 OK status and processes the request, it indicates a successful authentication bypass.

A practical detection method is to use a command-line tool like curl to send a request with an invalid token and observe the response.

• curl -X POST https://<target>/mcp_endpoint -H "Authorization: Bearer invalidtoken" -d '{"jsonrpc":"2.0","method":"list_tools","params":{},"id":1}' -v

If the response status is 200 OK and the server returns data (such as a list of protected tools), it confirms the presence of the vulnerability.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include upgrading the LiteLLM Python package to a version newer than 1.59.8 where the vulnerability has been patched.

Additionally, review and disable the configuration option `allow_all_keys: true` in the MCP Proxy settings to prevent unrestricted access via invalid API keys.

As a temporary measure, restrict network access to the MCP Proxy endpoints to trusted sources only, reducing the risk of remote exploitation.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability allows unauthenticated attackers to bypass authentication and gain unauthorized access to backend MCP servers, potentially leading to data theft and execution of sensitive tools.

Such unauthorized access and potential data breaches could result in non-compliance with data protection regulations like GDPR and HIPAA, which require strict access controls and protection of sensitive data.

Therefore, exploitation of this vulnerability may compromise the confidentiality, integrity, and availability of sensitive information, impacting compliance with these common standards and regulations.

Useful 0 Not Useful 0