BerriAI litellm: Improper authentication in MCP Proxy via UserAPIKeyAuth function
Summary
A weakness has been identified in BerriAI litellm up to 1.59.8. Affected is the function UserAPIKeyAuth of the file litellm/proxy/_experimental/mcp_server/auth/user_api_key_auth_mcp.py of the component MCP Proxy. Executing a manipulation can lead to improper authentication. The attack may be launched remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure. A flaw was found in BerriAI litellm, within its MCP Proxy component. A remote attacker could exploit an improper authentication vulnerability in the UserAPIKeyAuth function. This could allow unauthorized access, potentially compromising the confidentiality, integrity, and availability of data within the system. A flaw was found in litellm. When the LiteLLM proxy MCP authentication flow mishandles 401/403 errors from API key validation, an attacker may bypass MCP proxy authentication and reach backend MCP servers that are configured with allow_all_keys: true. This issue affects litellm versions prior to 1.81.16 as shipped in select Red Hat products. Red Hat severity: Important — CVSS 7.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L). Weakness: CWE-303. No fixing RHSA erratum has published yet; monitor the Red Hat CVE page and patch when it ships.
Mitigation checklist
- Upgrade to litellm 1.81.16 or later. As a workaround, do not configure backend MCP servers with allow_all_keys: true, and restrict network access to the LiteLLM MCP proxy endpoints.
Official advisory · high-confidence parse· fetched 1 day ago·verify at source
Discussion(0)
No comments yet. Share field notes, upgrade gotchas, or questions — verify against the vendor advisory before acting on community advice.
Sign in to join the discussion.