CVE-2026-59822
Received Received - Intake

Authentication Bypass in LiteLLM MCP Streamable HTTP

Vulnerability report for CVE-2026-59822, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-08

Last updated on: 2026-07-08

Assigner: GitHub, Inc.

Description

LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. Prior to 1.84.0, LiteLLM's MCP Streamable HTTP endpoint allowed an unauthenticated attacker to use a fabricated Authorization header to trigger an OAuth2 passthrough fallback path that replaced failed LiteLLM key validation with an empty UserAPIKeyAuth() object, allowing requests to reach MCP tooling without a valid LiteLLM key. This issue is fixed in version 1.84.0.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-08
Last Modified
2026-07-08
Generated
2026-07-09
AI Q&A
2026-07-08
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
litellm litellm to 1.84.0 (exc)
berriai litellm 1.84.0

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-306 The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.
CWE-287 When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-59822 is an authentication bypass vulnerability in LiteLLM's MCP Streamable HTTP endpoint prior to version 1.84.0.

The vulnerability arises because when LiteLLM key validation fails, the system incorrectly falls back to an OAuth2 passthrough mechanism that replaces the failed validation with an empty UserAPIKeyAuth() object.

This allows an unauthenticated attacker to use a fabricated Authorization header to bypass authentication and access MCP tooling without a valid LiteLLM key.

The issue was fixed by ensuring the OAuth2 fallback only applies when all targeted servers are explicitly configured to use OAuth2 authentication, and by failing closed otherwise.

Impact Analysis

This vulnerability allows unauthenticated attackers to bypass authentication and gain access to MCP tooling and configured MCP services.

Attackers can list and invoke MCP tools, potentially accessing connected services exposed through MCP without any valid credentials.

The attack requires no privileges or user interaction and can be exploited remotely with low complexity.

This could lead to unauthorized access to sensitive operations or data exposed via MCP endpoints.

Detection Guidance

This vulnerability involves unauthorized access to the MCP Streamable HTTP endpoint by exploiting a fabricated Authorization header and an OAuth2 passthrough fallback mechanism. Detection can focus on monitoring requests to MCP endpoints for unusual or malformed Authorization headers, especially those that trigger authentication bypass.

Network or system administrators can look for requests to MCP routes that include suspicious query strings like "?.well-known" appended to URLs, which were previously used to bypass authentication.

Suggested commands include using network traffic inspection tools or web server logs to filter for such requests. For example, using grep on server logs to find requests with suspicious Authorization headers or query strings:

  • grep -i 'Authorization:' /var/log/litellm/access.log | grep -E 'Bearer|Basic|OAuth2|UserAPIKeyAuth'
  • grep '\?.well-known' /var/log/litellm/access.log
  • Using network packet capture tools like tcpdump or Wireshark to filter HTTP requests to MCP endpoints and analyze Authorization headers for anomalies.

Additionally, monitoring for 401 or 403 responses followed by successful access without valid credentials could indicate exploitation attempts.

Mitigation Strategies

The primary mitigation is to upgrade LiteLLM to version 1.84.0 or later, where the vulnerability is fixed by enforcing strict authentication checks and OAuth2 fallback restrictions.

If upgrading immediately is not possible, temporary workarounds include disabling MCP routes or blocking access to MCP endpoints at the reverse proxy or API gateway level to prevent unauthenticated access.

Ensure that any OAuth2 fallback mechanisms are only enabled when all targeted MCP servers are explicitly configured for OAuth2 authentication, preventing fallback to anonymous sessions.

Review and tighten access controls and authentication configurations on MCP endpoints to avoid accepting fabricated or malformed Authorization headers.

Compliance Impact

The vulnerability allows unauthenticated attackers to bypass authentication and access MCP tooling and connected services through the LiteLLM proxy server. This unauthorized access could lead to exposure or misuse of sensitive data handled by these services.

Such unauthorized access risks violating data protection and privacy requirements found in common standards and regulations like GDPR and HIPAA, which mandate strict access controls and protection of personal and sensitive information.

Therefore, until the vulnerability is fixed or mitigated, affected systems may be non-compliant with these regulations due to the increased risk of unauthorized data access.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-59822. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart