Does CVE-2026-12773 affect every LiteLLM deployment?

CVE-2026-12773 affects LiteLLM proxy deployments that run with the default general_settings.allowed_routes configuration, which the upstream documentation recommended through May 2026. Deployments that explicitly scoped allowed_routes to exclude /key/* are not exposed to the bypass. The threat-modeling.com analysis reports the default-configuration exposure as the common case in the field, with patched versions 1.78.4 and later closing the path. Operators on earlier versions with the default configuration should treat the deployment as exposed until verified otherwise.

Why did CISA add CVE-2026-42271 to the KEV catalog so quickly?

CISA added CVE-2026-42271 to the Known Exploited Vulnerabilities catalog on June 8, 2026, six days after the CVE was published. The KEV addition reflects observed in-the-wild exploitation. The proof-of-concept for the unsanitized YAML loader was published the same day as the disclosure, and security researchers reported active scanning for exposed /config/update endpoints within 48 hours of disclosure. The KEV listing triggers the federal patching deadline under BOD 22-01 and signals to private-sector operators that exploit code is in circulation.

Is the answer to stop using AI gateways?

No. The answer is to separate the policy decision function from the credential vault function. An AI gateway that holds provider keys is a credential vault that needs the security controls of a credential vault: separate process for the management plane, separate host for the data plane, hardware-backed key storage, and customer-controlled audit sinks. An AI gateway that holds no keys is a policy proxy with a smaller attack surface. The June 2026 LiteLLM CVE wave is evidence that the combined-function design is operationally exposed. The architectural split is the lesson.

How does the LiteLLM CVE wave compare to similar incidents in other gateway categories?

The pattern is not unique to AI gateways. API gateway products (Kong, Apigee, Tyk) and identity products (Keycloak, Auth0 self-hosted) have produced similar control-plane CVE clusters across the past five years. The pattern repeats when a single product handles both the request-forwarding path and the credential storage path. The AI gateway category inherited the pattern because the early products (LiteLLM, Portkey, Kong AI Gateway) followed the API gateway architectural template. The June 2026 cluster is the expected mid-cycle event for the category, not an anomaly.

What should an operator running LiteLLM today do?

Upgrade to LiteLLM 1.78.4 or later, the version that patches CVE-2026-12773, CVE-2026-42271, and the five remaining June 2026 CVEs. Audit the /key/* and /config/* endpoints for anomalous access in the period between June 2 and the patch deployment date. Rotate every provider API key the gateway holds. Review the gateway's audit log for unauthorized virtual-key creation. Consider whether the gateway needs to hold provider keys at all, or whether the calling applications can attach credentials per request against a policy proxy that holds none.

← Blog

June 25, 2026

LiteLLM's June CVE wave: what an authentication bypass in an AI gateway teaches about control-plane design

LiteLLM disclosed seven CVEs in June 2026, including CVE-2026-12773, a CVSS 7.3 authentication bypass in the UserAPIKeyAuth path, and CVE-2026-42271, a remote code execution flaw that CISA added to the Known Exploited Vulnerabilities catalog on June 8, 2026. The cluster of disclosures exposes a structural lesson about AI gateway design: the gateway authentication layer and the provider-key storage layer are themselves high-value attack surfaces. The lesson points at architectural choices that minimize blast radius.

ByParminder Singh· Founder & CEO, DeepInspect Inc.

Problem-Awarelitellm-cveai-gateway-securityauthentication-bypasscve-2026-12773cisa-kevcontrol-plane

LiteLLM's June CVE wave: what an authentication bypass in an AI gateway teaches about control-plane design

LiteLLM disclosed seven CVEs across the first three weeks of June 2026, including CVE-2026-12773, a CVSS 7.3 authentication bypass in the UserAPIKeyAuth path that lets an unauthenticated caller reach virtual-key endpoints, and CVE-2026-42271, a remote code execution flaw in the proxy admin handler that CISA added to the Known Exploited Vulnerabilities catalog on June 8, 2026. The cluster, catalogued at length on threat-modeling.com, surfaces a structural point about AI gateway design. The authentication layer of a gateway and the provider-key storage layer are themselves attack surfaces of high value, because compromise of either yields direct access to every downstream LLM provider the gateway fronts.

I want to walk through what the LiteLLM CVE wave actually contains, why the authentication bypass matters more than the RCE on a five-year horizon, what an AI gateway control plane should look like to minimize blast radius, and the architectural choice that separates a stateful key-broker from a stateless policy proxy.

The June 2026 LiteLLM CVE inventory

Seven CVEs landed against BerriAI's LiteLLM project between June 2 and June 19, 2026. CVE-2026-12773 is the headline: a CVSS 7.3 authentication bypass that lets an unauthenticated request reach the /key/generate and /key/info endpoints when the proxy is run with the default general_settings.allowed_routes configuration. CVE-2026-42271 is the CISA KEV entry, a CVSS 9.1 RCE through unsanitized YAML loading in the /config/update admin handler. The remaining five span SSRF in the model-discovery loader, a CSRF in the admin UI, a path-traversal in the model-config writer, an information disclosure in the /health/readiness endpoint, and an authentication weakness in master-key rotation.

The pattern is the gateway control plane. Each CVE targets the part of LiteLLM that manages keys, configuration, and routing, not the request-forwarding path itself.

Why an auth bypass on a gateway is worse than an RCE on a single service

CVE-2026-12773 is a 7.3, two points below the RCE. The 7.3 understates the blast radius. A gateway that fronts OpenAI, Anthropic, Bedrock, and Azure OpenAI holds the long-lived provider API keys for each. An authentication bypass on the key-management endpoints lets an unauthenticated caller mint new virtual keys, read existing key metadata, and (in the LiteLLM configuration) discover the upstream model routes those virtual keys are scoped to.

The downstream consequence is one breach producing access to every LLM provider the gateway terminates. The single-service RCE is contained to the host. The auth bypass on the key broker is a tenant-of-tenants compromise. The 9.1 score reflects the immediate exploit primitive. The 7.3 score does not capture the lateral reach.

The structural lesson: a gateway is a centralized credential vault

Most AI gateways operating in the LiteLLM, Portkey, Kong AI Gateway, and Cloudflare AI Gateway category are designed as credential vaults. The gateway holds the provider keys. The downstream application calls the gateway with a virtual key. The gateway swaps the virtual key for the provider key and forwards the request. The pattern centralizes key management, which is the value proposition.

The pattern also concentrates risk. A gateway holding the OpenAI organization key, the Anthropic workspace key, the Bedrock IAM credential, and the Azure OpenAI tenant credential is a credential vault with the security exposure of a credential vault. The June 2026 LiteLLM CVE wave is the expected outcome when a credential vault accumulates configuration endpoints, admin handlers, and management UIs in the same process as the request forwarder. The control plane and the data plane share a binary, which means a control-plane CVE exposes the data-plane secrets.

Architectural choices that reduce blast radius

Four design choices separate a high-blast-radius gateway from a low-blast-radius one. The first is whether the gateway holds long-lived provider credentials at all. A gateway that requires the calling application to attach the provider credential per request, with the gateway evaluating only policy, holds no key material. The second is whether the control plane and the data plane share a process. Separating the policy-management API from the request-forwarding proxy puts a process boundary between a management-API CVE and the request path. The third is whether the gateway is stateful with respect to identity, sessions, and keys. A stateless proxy that re-evaluates per request has no session store for an attacker to manipulate. The fourth is whether the audit record is written to a destination the gateway operator controls or to a destination the customer controls. A customer-controlled sink survives a gateway compromise.

How the CVE pattern maps to OWASP LLM Top 10 and NIST AI RMF

The June 2026 LiteLLM cluster maps to OWASP LLM Top 10 entries LLM03 (Supply Chain), LLM06 (Sensitive Information Disclosure), and LLM10 (Unbounded Consumption). The supply-chain entry covers the gateway as a dependency. The information disclosure entry covers the provider keys the gateway holds. The unbounded-consumption entry covers the cost exposure when an attacker mints unauthorized virtual keys against the gateway operator's provider accounts. The NIST AI RMF MAP and MANAGE functions ask the same questions the CVE pattern answers: what is the attack surface, who controls the keys, what is the record of the decision. The CVE wave is the empirical answer for the gateway-as-vault pattern.

DeepInspect

DeepInspect is a stateless policy proxy. The proxy does not store provider API keys. The calling application attaches the provider credential per request, scoped to the user and role context the inspection layer verifies against the IdP. The proxy evaluates per-user, per-role, per-route policy on the request, commits the per-decision audit record to the customer's audit sink, and forwards the request to the LLM endpoint. The proxy holds no session state, no virtual-key store, and no long-lived provider credentials. The configuration surface is separated from the request path: policy changes go through a control plane the customer operates on infrastructure the customer controls.

The June 2026 LiteLLM CVE wave illustrates the alternative blast radius. A compromised stateful gateway exposes every provider key the gateway holds for every tenant the gateway serves. A compromised stateless proxy exposes the policy decision logic for the requests in flight at the moment of compromise, with no key material at rest and no virtual-key store to mint against. The architectural choice is whether the gateway is a vault or a proxy.

Book a technical deep dive at deepinspect.ai.

Frequently asked questions

Does CVE-2026-12773 affect every LiteLLM deployment?: CVE-2026-12773 affects LiteLLM proxy deployments that run with the default general_settings.allowed_routes configuration, which the upstream documentation recommended through May 2026. Deployments that explicitly scoped allowed_routes to exclude /key/* are not exposed to the bypass. The threat-modeling.com analysis reports the default-configuration exposure as the common case in the field, with patched versions 1.78.4 and later closing the path. Operators on earlier versions with the default configuration should treat the deployment as exposed until verified otherwise.
Why did CISA add CVE-2026-42271 to the KEV catalog so quickly?: CISA added CVE-2026-42271 to the Known Exploited Vulnerabilities catalog on June 8, 2026, six days after the CVE was published. The KEV addition reflects observed in-the-wild exploitation. The proof-of-concept for the unsanitized YAML loader was published the same day as the disclosure, and security researchers reported active scanning for exposed /config/update endpoints within 48 hours of disclosure. The KEV listing triggers the federal patching deadline under BOD 22-01 and signals to private-sector operators that exploit code is in circulation.
Is the answer to stop using AI gateways?: No. The answer is to separate the policy decision function from the credential vault function. An AI gateway that holds provider keys is a credential vault that needs the security controls of a credential vault: separate process for the management plane, separate host for the data plane, hardware-backed key storage, and customer-controlled audit sinks. An AI gateway that holds no keys is a policy proxy with a smaller attack surface. The June 2026 LiteLLM CVE wave is evidence that the combined-function design is operationally exposed. The architectural split is the lesson.
How does the LiteLLM CVE wave compare to similar incidents in other gateway categories?: The pattern is not unique to AI gateways. API gateway products (Kong, Apigee, Tyk) and identity products (Keycloak, Auth0 self-hosted) have produced similar control-plane CVE clusters across the past five years. The pattern repeats when a single product handles both the request-forwarding path and the credential storage path. The AI gateway category inherited the pattern because the early products (LiteLLM, Portkey, Kong AI Gateway) followed the API gateway architectural template. The June 2026 cluster is the expected mid-cycle event for the category, not an anomaly.
What should an operator running LiteLLM today do?: Upgrade to LiteLLM 1.78.4 or later, the version that patches CVE-2026-12773, CVE-2026-42271, and the five remaining June 2026 CVEs. Audit the /key/* and /config/* endpoints for anomalous access in the period between June 2 and the patch deployment date. Rotate every provider API key the gateway holds. Review the gateway's audit log for unauthorized virtual-key creation. Consider whether the gateway needs to hold provider keys at all, or whether the calling applications can attach credentials per request against a policy proxy that holds none.

← All posts