Executive Summary

CVE-2026-12774 is a security vulnerability in BerriAI LiteLLM versions up to 1.82.2, specifically in the function _execute_with_mcp_client within the MCP Server Connection Testing component. The vulnerability allows an attacker to perform Server-Side Request Forgery (SSRF) by manipulating the /v1/mcp/test/connection endpoint.

The issue arises because the OAuth flow detection is incomplete, allowing authenticated users to supply crafted token_url, client_id, and client_secret values. This causes LiteLLM to send arbitrary HTTP POST requests to internal or external network destinations without proper validation or domain restrictions.

The root cause is that the _execute_with_mcp_client handler overrides OAuth flow settings based on user input, and the mcp_oauth2_token_cache uses the attacker-controlled token_url to make outbound requests. This can be exploited to probe internal networks or cause unauthorized state changes.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have several impacts including unauthorized internal network reconnaissance and potential unauthorized state changes within the affected system.

• An attacker can force the server to send arbitrary HTTP POST requests to internal or external systems, potentially exposing sensitive data such as credentials.
• It can be used to probe internal network resources that are otherwise inaccessible, increasing the risk of further exploitation.
• The vulnerability allows remote exploitation, meaning attackers do not need local access to exploit it.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring for unusual or unauthorized HTTP POST requests originating from the LiteLLM server, especially those targeting internal or external network destinations via the `/v1/mcp/test/connection` endpoint.

Detection involves checking for crafted requests that manipulate the `token_url`, `client_id`, and `client_secret` parameters to trigger Server-Side Request Forgery (SSRF).

• Use network monitoring tools (e.g., tcpdump or Wireshark) to capture outbound POST requests from the LiteLLM server.
• Example tcpdump command to monitor outbound HTTP POST requests: `tcpdump -i <interface> 'tcp dst port 80 and (((ip src <liteLLM_server_ip>) and (tcp[13] & 8 != 0))'`
• Inspect application logs for requests to `/v1/mcp/test/connection` with unusual or unexpected `token_url` values.
• Use curl or similar tools to test the endpoint with crafted parameters to verify if the server is vulnerable.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include upgrading LiteLLM to a version later than 1.82.2 where the vulnerability has been patched.

If upgrading is not immediately possible, restrict access to the `/v1/mcp/test/connection` endpoint to trusted users only, as exploitation requires authenticated access.

Implement network-level controls to prevent the LiteLLM server from making arbitrary outbound HTTP POST requests, especially to untrusted or internal network destinations.

Review and harden OAuth flow validation to ensure that parameters like `token_url` cannot be manipulated by users.

Useful 0 Not Useful 0

Compliance Impact

The CVE-2026-12774 vulnerability allows an attacker to perform server-side request forgery (SSRF), potentially leading to unauthorized internal network reconnaissance and exposure of sensitive data such as credentials. This unauthorized data exposure and potential compromise of internal systems can negatively impact compliance with data protection regulations like GDPR and HIPAA, which require safeguarding sensitive information and maintaining secure systems to protect personal and health-related data.

Because the vulnerability enables attackers to manipulate server requests and possibly access or disclose sensitive information, organizations using affected versions of LiteLLM may face increased risk of non-compliance with these standards if the vulnerability is exploited.

Useful 0 Not Useful 0