CVE-2026-12798 BerriAI CVE debrief

Who should care

Defenders of BerriAI litellm deployments up to version 1.82.2 should assess and prioritize patching. This vulnerability allows remote attackers to manipulate server requests, potentially leading to unauthorized actions. Although the CVSS severity is low, defenders should verify their inventory and review official advisories for specific mitigations.

Technical summary

CVE-2026-12798 is a server-side request forgery (SSRF) vulnerability in the load_openapi_spec_async function of BerriAI litellm up to 1.82.2. The vulnerability resides in litellm/proxy/_experimental/mcp_server/openapi_to_mcp_generator.py. An attacker can remotely exploit this by manipulating the spec_path argument, potentially leading to unauthorized server requests. The vulnerability's CVSS score is 2.1, indicating a low severity. However, defenders should still assess and mitigate this risk, especially in environments where SSRF can lead to significant impacts.

Defensive priority

Low priority, but verify inventory and assess potential impact of SSRF in your environment.

Recommended defensive actions

• Inventory BerriAI litellm deployments up to version 1.82.2 and assess exposure.
• Review official advisories for specific mitigations or patches.
• Limit exposure by restricting access to the affected function or component.
• Monitor for suspicious server requests that could indicate exploitation attempts.
• Apply vendor-supported remediation when available.

Evidence notes

The primary evidence for CVE-2026-12798 comes from the NVD and Vuldb sources. The vulnerability affects BerriAI litellm up to version 1.82.2, specifically the load_openapi_spec_async function in litellm/proxy/_experimental/mcp_server/openapi_to_mcp_generator.py. Defenders should verify their inventory of litellm deployments and review official advisories for specific mitigations. Limited exploit details are publicly available, and the CVSS score is 2.1, indicating low severity.

Official resources