Note: This advisory covers 5 newly disclosed LiteLLM CVEs. For the CISA KEV CVE-2026-42271 (command injection, due TODAY June 22), see our dedicated CVE-2026-42271 advisory.

BerriAI LiteLLM, the widely deployed open-source LLM gateway, has disclosed five additional vulnerabilities covering authentication bypass, API key exposure, and authorization weaknesses. These were disclosed over the weekend of June 21-22 and should be addressed alongside today’s CISA KEV deadline for CVE-2026-42271.

CVE Summary

CVE-2026-12773 (CVSS 7.3 HIGH): Authentication bypass in the UserAPIKeyAuth function of litellm/proxy/auth/user_api_key_auth.py (up to v1.59.8). Improper validation of user API keys could allow an attacker to bypass authentication checks and access proxied AI services.

CVE-2026-12772 (CVSS 6.3 MEDIUM): Weakness in the authenticate_user function (up to v1.82.2). Authentication logic flaw could allow credential validation bypass under specific conditions.

CVE-2026-12774 (CVSS 6.3 MEDIUM): Additional authentication weakness in LiteLLM up to v1.82.2 affecting user verification flows.

CVE-2026-12771 (CVSS 5.0 MEDIUM): Information disclosure affecting an unspecified function in litellm/proxy. Potential exposure of configuration or key material.

CVE-2026-12770 (CVSS 5.4 MEDIUM): API key management issue up to v1.63.1. Weakness in how API keys are stored, validated, or rotated.

Impact

LiteLLM serves as the gateway between applications and AI model providers (OpenAI, Anthropic, Google AI, Azure OpenAI, etc.). The authentication bypass (CVE-2026-12773) is the most concerning — it could allow unauthorised access to proxied AI services, potentially enabling an attacker to consume AI API credits, access AI model inputs and outputs, or exfiltrate API keys for downstream services. Combined with today’s CISA KEV CVE-2026-42271 (command injection), LiteLLM deployments face both authentication and command execution risks simultaneously.

Fix

• Upgrade to LiteLLM v1.83.7-stable or later — this version addresses all known CVEs including CVE-2026-42271 and the five new disclosures
• pip install --upgrade litellm>=1.83.7
• Restart all LiteLLM proxy instances after upgrading
• Audit and rotate all AI provider API keys proxied through LiteLLM
• Review LiteLLM access logs for suspicious authentication attempts or unusual API usage patterns

Recommendations

• Patch today: LiteLLM CISA KEV CVE-2026-42271 deadline is today (June 22). The same upgrade addresses all five new CVEs
• Rotate API keys: After upgrading, rotate all AI provider API keys (OpenAI, Anthropic, Google, Azure, etc.) that were proxied through vulnerable LiteLLM instances
• Audit access logs: Review for unauthorised API calls, unusual model usage patterns, or unexpected key usage from unknown IPs
• Restrict network access: LiteLLM management interfaces and API endpoints should not be internet-facing. Use network segmentation and authentication at the network boundary
• Monitor for additional CVEs: LiteLLM has had 7 CVEs disclosed in June 2026 alone. Consider whether the current version meets your security requirements or whether additional hardening is needed

References

• LiteLLM v1.83.7-stable Release
• GitHub Advisory GHSA-v4p8-mg3p-g94g (CVE-2026-42271)
• NVD: CVE-2026-12773 | CVE-2026-12772
• CISA KEV Catalog

Part of the Vulnerability Intelligence series on threat-modeling.com. The LiteLLM CISA KEV deadline is today, June 22, 2026. Patch immediately.