Full Report
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday added a high-severity flaw impacting BerriAI LiteLLM to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation. The vulnerability, tracked as CVE-2026-42271 (CVSS score: 8.7), is a command injection vulnerability that could allow any authenticated user to run arbitrary commands on the
Analysis Summary
# Vulnerability: Command Injection and Auth Bypass in LiteLLM (CVE-2026-42271)
## CVE Details
- **CVE ID:** CVE-2026-42271 (Chained with CVE-2026-48710)
- **CVSS Score:** 8.7 (High) / Chained Score: 10.0 (Critical)
- **CWE:** Command Injection (CWE-77) and Improper Input Validation (CWE-20)
## Affected Systems
- **Products:** BerriAI LiteLLM (AI Gateway/Python SDK)
- **Versions:** Affected versions include LiteLLM >= 1.74.2 and < 1.83.7.
- **Configurations:** Systems running LiteLLM with Starlette versions ≤ 1.0.0 are specifically vulnerable to the authentication bypass chain.
## Vulnerability Description
CVE-2026-42271 is a command injection flaw residing in two preview endpoints: `POST /mcp-rest/test/connection` and `POST /mcp-rest/test/tools/list`. These endpoints accepted full Model Context Protocol (MCP) server configurations in the request body. If the configuration used the `stdio` transport, LiteLLM would spawn the provided commands as a subprocess on the host with the proxy process's privileges.
While the flaw originally required a valid API key, it can be chained with CVE-2026-48710 (a "BadHost" header validation bypass in the Starlette framework). This chain allows an unauthenticated attacker to bypass the proxy’s authentication check and execute arbitrary commands remotely.
## Exploitation
- **Status:** Exploited in the wild; added to CISA KEV catalog.
- **Complexity:** Low (when chained)
- **Attack Vector:** Network
## Impact
- **Confidentiality:** High (Access to model provider credentials, API keys, and stored secrets).
- **Integrity:** High (Ability to execute arbitrary commands and modify system configurations).
- **Availability:** High (Potential for full system takeover or service disruption).
## Remediation
### Patches
- **LiteLLM:** Upgrade to version **1.83.7** or later. This update restricts the vulnerable endpoints to the `PROXY_ADMIN` role.
- **Starlette:** Upgrade to version **1.0.1** or later to resolve the host header bypass.
### Workarounds
- Block the specific vulnerable endpoints (`/mcp-rest/test/connection` and `/mcp-rest/test/tools/list`) at the reverse proxy or WAF level.
- Restrict network access to the LiteLLM host to trusted internal segments only.
- Rotate all API keys and provider credentials stored within the proxy.
## Detection
- **Indicators of Compromise:** Unusual `Host` header values in HTTP logs.
- **Detection Methods:** Monitor system logs for unexpected subprocesses spawned by the LiteLLM process (e.g., shells or network utilities). Review API logs for unauthorized calls to the `/mcp-rest/test/` endpoints.
## References
- CISA Known Exploited Vulnerabilities Catalog: [https://www.cisa.gov/known-exploited-vulnerabilities-catalog]
- BerriAI Security Advisory: [https://github.com/BerriAI/litellm/security/advisories/GHSA-v4p8-mg3p-g94g]
- Starlette Security Advisory: [https://github.com/Kludex/starlette/security/advisories/GHSA-86qp-5c8j-p5mr]
- Horizon3.ai Technical Analysis: [https://horizon3.ai/attack-research/vulnerabilities/cve-2026-42271-chained-with-cve-2026-48710/]