CVE-2026-12798

A weakness has been identified in BerriAI litellm up to 1.82.2. Affected by this vulnerability is the function load openapi spec async of the file litellm/proxy/ experimental/mcp server/openapi to mcp generator.py of the component MCP OpenAPI Spec Loader. This manipulation of the argument spec path causes server-side request forgery. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure.