BerriAI disclosed and fixed CVE-2026-59822, an authentication bypass in LiteLLM versions prior to 1.84.0 that exposed the MCP Streamable HTTP endpoint to unauthenticated access. The flaw allowed a remote attacker to send a fabricated Authorization header that triggered an OAuth2 passthrough fallback path; when LiteLLM key validation failed, the application substituted an empty UserAPIKeyAuth() object and still allowed requests to reach MCP tooling. The vulnerability is classified under CWE-287 and CWE-306 and is described as network-exploitable without privileges or user interaction.
The fix shipped in LiteLLM v1.84.0, alongside broader security hardening across authentication, authorization, and MCP-related features. Release notes for v1.84.0 also highlight encrypted MCP credentials at rest, SSRF protections for OAuth metadata discovery follow-up fetches, hardened invite-link onboarding token handling, redaction of sensitive data, and signed Docker images that can be verified with cosign using a pinned public key and commit reference. Organizations running LiteLLM should upgrade to 1.84.0 or later and validate deployment artifacts as part of remediation.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
2 events from the most recent confirmed update back to the earliest known activity.
CVE-2026-59822 was newly published describing an authentication bypass in LiteLLM versions prior to 1.84.0. The flaw affects the MCP Streamable HTTP endpoint, where a fabricated Authorization header can trigger an OAuth2 passthrough fallback that allows access without a valid LiteLLM key.
BerriAI published LiteLLM version 1.84.0, whose release notes include multiple security-related changes and hardening updates affecting authentication, authorization, MCP handling, and related protections. The CVE reference states that this version fixes CVE-2026-59822.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
2 references tracked. Mallory keeps watching after this page renders.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.