Artificial Intelligence

LiteLLM CVE-2026-42271 Exploited; Chain Enables Unauthenticated RCE

Adnan SiddiquiAdnan Siddiqui3 min read

CISA has added a high‑severity LiteLLM issue to its Known Exploited Vulnerabilities catalog, citing active exploitation. The flaw, tracked as CVE-2026-42271 (CVSS 8.7), is a command injection bug that lets any authenticated user run arbitrary commands on the host.

What’s affected

  • BerriAI LiteLLM Python package versions ≥ 1.74.2 and < 1.83.7.
  • Risk increases if your deployment’s dependency tree includes Starlette versions ≤ 1.0.0 due to a separate host header validation bypass (CVE-2026-48710, “BadHost”).

Why it matters

Attackers who exploit this can:

  • Execute arbitrary commands on the LiteLLM host.
  • Access model provider credentials and siphon API keys and secrets stored by the proxy.
  • Move laterally into connected AI infrastructure and compromise downstream systems.

How the LiteLLM bug works

BerriAI explains that two test endpoints—POST /mcp-rest/test/connection and POST /mcp-rest/test/tools/list—accepted a full server configuration in the request body, including the command, args, and env fields used by the stdio transport. When called with a stdio configuration, the endpoints attempted to connect and spawned the supplied command as a subprocess on the proxy host with the proxy process’s privileges.

These endpoints were secured only by a valid proxy API key. That meant any authenticated user, including privileged internal-user keys, could execute arbitrary commands on vulnerable systems.

In version 1.83.7, both test endpoints now require the PROXY_ADMIN role, aligning them with the save endpoint.

From authenticated to unauthenticated RCE

Horizon3.ai showed how chaining CVE-2026-42271 with Starlette’s “BadHost” host header validation bypass (CVE-2026-48710, CVSS 6.5) can let attackers bypass LiteLLM authentication entirely when Starlette ≤ 1.0.0 is present. The result is unauthenticated remote code execution—no credentials required. Horizon3.ai rates the combined chain as CVSS 10.0 (critical).

Current status

Details about in-the-wild activity are limited. There’s no confirmed information on attacker identity, targets, scope, or whether the observed attacks are using the full exploit chain.

What to do now

Prioritize patching:

  • Update LiteLLM to 1.83.7 or later.
  • Update Starlette to 1.0.1 or later.

If you can’t patch immediately, apply these mitigations:

  • Block POST /mcp-rest/test/connection and POST /mcp-rest/test/tools/list at your reverse proxy or API gateway.
  • Restrict network access to trusted segments.
  • Rotate credentials stored by the proxy.
  • Review logs for unusual Host header activity and for subprocess execution events.

Context

Just over a month ago, LiteLLM faced a separate critical SQL injection issue (CVE-2026-42208, CVSS 9.3) that was exploited within 36 hours of disclosure. The pattern is clear: fast updates and basic hardening go a long way.

References: CISA KEV alert, BerriAI advisory, Horizon3.ai analysis, Starlette advisory.

Reference: View article