Issue Station
Sign In
Tools hereToolbox

litellm - 💡(How to fix) Fix [Bug]: MCP tools/list returns tools from a different MCP server when key has restricted access. [1 participants]

Official PRs (…)
ON THIS PAGE

Recommended Tools

×6

Utilities matched from this issue’s tags and category — try them while you read without losing context.

GitHub issue graph ai analysis

Paste a GitHub issue URL. We fetch that issue, discover linked issues from bodies/comments/timeline, collect linked pull requests, and produce a structured English report.

The report is written in English Markdown for sharing and archival.

Helpful · Quick feedback

Loading…
GitHub stats
BerriAI/litellm#25436Fetched 2026-04-10 03:41:03
View on GitHub
Comments
0
Participants
1
Timeline
2
Reactions
0
Author
ahiggins-artiahiggins-arti
Participants
ahiggins-artiahiggins-arti
Timeline (top)
labeled ×2

Error Message

  1. Instead of getting an error or an empty list, you'll see tool results returned for notion.

Code Example

curl -s -X POST https://<host>/mcp/github \
  -H "Authorization: Bearer $LITELLM_KEY" \
  -H "Content-Type: application/json" \
  -H "Accept: application/json, text/event-stream" \
  -d '{"jsonrpc":"2.0","id":1,"method":"tools/list","params":{}}'

---
RAW_BUFFERClick to expand / collapse

Check for existing issues

  • I have searched the existing issues and checked that my issue is not a duplicate.

What happened?

When a virtual key is scoped to only one MCP server (e.g. notion), configuring a second server (e.g. github) will still connect, but return the wrong tools. In this case, we see notion tools under a server configured to point to the github MCP. Adding permissions to the virtual key immediately fixes the problem, and removing the permissions again reintroduces the bug.

What did you expect to happen?

Ideally we would be unable to connect to a LiteLLM MCP server with a virtual key if that key is not authorized for the given MCP server. It would be better for this to fail fast and loud, rather than return tools for another server.

Steps to Reproduce

  1. Setup two MCP servers (e.g. notion and github)
  2. Create a new virtual key. Give the key access to just one server (notion)
  3. Run the following curl command to get the available tools.
curl -s -X POST https://<host>/mcp/github \
  -H "Authorization: Bearer $LITELLM_KEY" \
  -H "Content-Type: application/json" \
  -H "Accept: application/json, text/event-stream" \
  -d '{"jsonrpc":"2.0","id":1,"method":"tools/list","params":{}}'
  1. Instead of getting an error or an empty list, you'll see tool results returned for notion.
  2. Give the virtual key access to the github MCP, make the call again to see the correct tool list.
  3. Remove the MCP permissions again, the call will return the original, incorrect tool list.

Relevant log output

What part of LiteLLM is this about?

Proxy

What LiteLLM version are you on ?

v1.81.14

Twitter / LinkedIn details

No response

extent analysis

TL;DR

The most likely fix is to modify the authentication logic to check the virtual key's permissions for the specific MCP server before returning tools.

Guidance

  • Verify that the virtual key's permissions are being checked correctly for each MCP server by reviewing the authentication logic.
  • Check if the issue is related to caching or stale data by clearing any relevant caches or restarting the service.
  • Consider adding a permission check at the beginning of the tool listing process to fail fast and loud if the virtual key is not authorized for the given MCP server.
  • Review the documentation for the tools/list method to ensure it is being used correctly and that the expected behavior is clearly defined.

Example

No code snippet is provided as the issue does not contain enough information about the implementation details.

Notes

The issue seems to be related to the authentication and authorization logic of the LiteLLM Proxy. The fact that adding permissions to the virtual key fixes the problem and removing them reintroduces the bug suggests that the issue is related to the permission checking mechanism.

Recommendation

Apply a workaround by adding a permission check at the beginning of the tool listing process to fail fast and loud if the virtual key is not authorized for the given MCP server, as this will prevent the incorrect tool list from being returned.

Vote matrix · Quick signals

Works
Did the solution work? Tap to confirm.
Easy Fix
Was it a quick fix?
Time Saver
Did it save you time?
Blocking
Was it severely blocking?
Common Issue
Are others likely hitting this too?
Flaky / Intermittent
Is it intermittent?
Verified / Reproducible
Can you reproduce it reliably?
Loading…
#api#ssr#memory leak#API versioning#request timeout

Still need to ship something?

×6

Another batch ranked right after the header list — different links, same matching logic.

Back to top recommendations

TRENDING