PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-12797 BerriAI CVE debrief

CVE-2026-12797 is a low-severity security flaw in BerriAI litellm versions up to 1.82.5. The vulnerability affects the Completions Interface, specifically the async_pre_call_hook function in banned_keywords.py. This flaw allows for incorrect authorization, which can be exploited remotely. Although the exploit has been publicly released, the CVSS score is 2.1, indicating a low severity. Defenders should assess their exposure and prioritize patching based on their specific use cases.

Vendor
BerriAI
Product
litellm
CVSS
LOW 2.1
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-21
Original CVE updated
2026-06-22
Advisory published
2026-06-21
Advisory updated
2026-06-22

Who should care

Organizations using BerriAI litellm versions up to 1.82.5 should be aware of this vulnerability. Specifically, those who utilize the Completions Interface and have not updated to a patched version may be exposed to incorrect authorization issues. Given the low severity and remote exploitability, defenders should evaluate their risk and apply patches or mitigations as necessary.

Technical summary

The CVE-2026-12797 vulnerability is caused by a flaw in the async_pre_call_hook function of the banned_keywords.py file in the enterprise/enterprise_hooks directory of BerriAI litellm up to 1.82.5. This function is part of the Completions Interface. The vulnerability leads to incorrect authorization when the prompt argument is manipulated. The Common Vulnerabilities and Exposures (CVE) score is 2.1, classified as low severity. The CVSS vector is CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X.

Defensive priority

Low severity, but prioritize patching due to remote exploitability and public exploit availability.

Recommended defensive actions

  • Inventory and review current BerriAI litellm versions to identify instances up to 1.82.5.
  • Apply patches or updates to BerriAI litellm to a version beyond 1.82.5.
  • Review and restrict access to the Completions Interface, especially in enterprise environments.
  • Monitor for suspicious activity related to the async_pre_call_hook function and banned_keywords.py.
  • Consider compensating controls, such as additional authentication or input validation, if patching is not immediately feasible.

Evidence notes

The primary evidence for CVE-2026-12797 comes from the NVD and Vuldb sources. The vulnerability affects BerriAI litellm up to version 1.82.5, specifically in the Completions Interface's async_pre_call_hook function. Evidence limits suggest that while the exploit has been released publicly, details on widespread exploitation are not provided. Defenders should verify their current litellm version and review the official CVE and NVD records for further details.

Official resources

This article is AI-assisted and based on the supplied source corpus.