Executive Summary
CISA added CVE-2026-42271 to the Known Exploited Vulnerabilities catalog on 2026-06-08, marking it as actively exploited CISA KEV opens in a new tab. The affected product is BerriAI LiteLLM, an open-source AI gateway and LLM proxy. The vulnerability is a command injection flaw in the Model Context Protocol (MCP) server preview endpoints that allows attackers to execute arbitrary shell commands on the hosting system.
While the vulnerability originally required authentication with a valid API key, researchers have confirmed that it can be chained with CVE-2026-48710 (the "BadHost" Host header validation bypass in Starlette), allowing unauthenticated remote attackers to bypass the authentication middleware and achieve Remote Code Execution (RCE) on the server. BerriAI has addressed the issue in LiteLLM version 1.83.7-stable by restricting access to these endpoints to the PROXY_ADMIN role. Treat any LiteLLM instance exposed to the internet between versions 1.74.2 and 1.83.6 as a critical intrusion risk.