CVE-2026-12798
Received Received - Intake
Server-Side Request Forgery in BerriAI litellm

Publication date: 2026-06-21

Last updated on: 2026-06-21

Assigner: VulDB

Description
A weakness has been identified in BerriAI litellm up to 1.82.2. Affected by this vulnerability is the function load_openapi_spec_async of the file litellm/proxy/_experimental/mcp_server/openapi_to_mcp_generator.py of the component MCP OpenAPI Spec Loader. This manipulation of the argument spec_path causes server-side request forgery. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-21
Last Modified
2026-06-21
Generated
2026-06-21
AI Q&A
2026-06-21
EPSS Evaluated
N/A
NVD
CVE-2026-12798
EUVD
EUVD-2026-38157
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
berriai litellm to 1.82.2 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a Server-Side Request Forgery (SSRF) issue in the LiteLLM proxy, specifically in the MCP OpenAPI Spec Loader component. It occurs in the function load_openapi_spec_async, which accepts a user-controlled URL parameter called spec_path without proper validation.

Because the function makes an HTTP GET request to the provided URL, an attacker who is authenticated (not necessarily an admin) can manipulate this parameter to make the server fetch arbitrary internal URLs. This can lead to internal service discovery, port scanning, and even exfiltration of sensitive cloud metadata credentials, such as AWS IAM temporary credentials.

The vulnerable endpoint is /mcp-rest/test/tools/list, accessible to any authenticated user, and there are no protections like private IP filtering, cloud metadata endpoint blocking, or DNS rebinding protection.

Impact Analysis

This vulnerability can have serious impacts including unauthorized internal network reconnaissance and data exposure. An attacker can use it to discover internal services and scan ports that are normally inaccessible from outside.

More critically, it can be exploited to access sensitive cloud metadata endpoints, potentially leaking cloud credentials such as AWS IAM temporary credentials. This can lead to further compromise of cloud resources and data.

Since the attack can be initiated remotely by any authenticated user, it increases the risk of insider threats or compromised accounts being leveraged to escalate attacks within the network.

Detection Guidance

This vulnerability can be detected by monitoring and analyzing requests to the vulnerable endpoint `/mcp-rest/test/tools/list` which calls the `load_openapi_spec_async()` function with a user-controlled `spec_path` parameter.

To detect exploitation attempts, you can look for unusual HTTP GET requests that include URLs pointing to internal IP ranges, cloud metadata endpoints (e.g., 169.254.169.254), or other internal services.

Suggested commands to detect potential exploitation include using network monitoring tools or command-line utilities to inspect logs or live traffic for suspicious requests:

  • Using grep on server logs to find requests to the vulnerable endpoint: `grep "/mcp-rest/test/tools/list" /var/log/nginx/access.log`
  • Searching for internal IP addresses or cloud metadata URLs in the `spec_path` parameter: `grep -E "spec_path=.*(169\.254\.169\.254|10\.|172\.(1[6-9]|2[0-9]|3[0-1])\.|192\.168\.)" /var/log/nginx/access.log`
  • Using network packet capture tools like tcpdump or Wireshark to filter HTTP requests to the vulnerable endpoint and inspect the `spec_path` parameter.
Mitigation Strategies

Immediate mitigation steps include restricting access to the vulnerable endpoint `/mcp-rest/test/tools/list` to trusted users only, as any authenticated user can exploit this vulnerability.

Implement network-level controls such as firewall rules to block outgoing requests from the server to internal IP ranges and cloud metadata service IPs (e.g., 169.254.169.254).

If possible, disable or restrict the use of the `load_openapi_spec_async()` function or the MCP OpenAPI Spec Loader component until a patch or fix is available.

Monitor logs for suspicious activity and consider applying application-level input validation to ensure the `spec_path` parameter does not accept internal or sensitive URLs.

Compliance Impact

The vulnerability allows authenticated users to perform server-side request forgery (SSRF), enabling access to internal services and cloud metadata credentials, such as AWS IAM temporary credentials. This unauthorized access to sensitive internal data and credentials could lead to data breaches or unauthorized data exposure.

Such data breaches or unauthorized access could negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of sensitive data and prevention of unauthorized access.

However, the provided information does not explicitly state the direct impact on compliance or mention specific regulatory violations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-12798. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart