Critical LiteLLM Command Injection Flaw CVE-2026-42271 Exploited in the Wild, Chained for Unauthenticated RCE
CISA has added CVE-2026-42271, a critical command injection flaw in BerriAI's LiteLLM, to its Known Exploited Vulnerabilities catalog, with evidence of active exploitation.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical vulnerability impacting BerriAI's LiteLLM to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation in the wild. The flaw, tracked as CVE-2026-42271, carries a CVSS score of 8.7 and is a command injection vulnerability that could allow any authenticated user to execute arbitrary commands on the host system.
The vulnerability affects versions of the LiteLLM Python package greater than or equal to 1.74.2 and less than 1.83.7. According to BerriAI, two specific endpoints used for previewing MCP server configurations – POST /mcp-rest/test/connection and POST /mcp-rest/test/tools/list – accepted a full server configuration, including command, arguments, and environment fields. When these endpoints were invoked with a stdio configuration, they would attempt to establish a connection, inadvertently spawning the supplied command as a subprocess on the proxy host with the privileges of the proxy process.
Maintainers of the open-source AI gateway and Python SDK noted that these endpoints were only protected by a valid proxy API key. This meant that any authenticated user, including those with privileged internal-user keys, could exploit the vulnerability to execute arbitrary commands on a susceptible system. The issue has since been addressed in version 1.83.7, where both test endpoints now require the PROXY_ADMIN role, aligning their security posture with the save endpoint.
Adding to the severity, researchers at Horizon3.ai have demonstrated that CVE-2026-42271 can be chained with CVE-2026-48710, a "BadHost" host header validation bypass vulnerability affecting the Starlette ASGI framework. This exploit chain effectively bypasses LiteLLM's authentication mechanisms entirely, transforming the vulnerability into an unauthenticated remote code execution (RCE) scenario. The combined CVSS score for this chained exploit reaches a critical 10.0.
Successful exploitation of the chained vulnerability could grant attackers the ability to run arbitrary commands on the LiteLLM host. This could lead to the compromise of model provider credentials, the exfiltration of API keys and secrets stored by the proxy, lateral movement into connected AI infrastructure, and potentially compromise downstream systems integrated with the AI gateway. The specific threat actors, targeted entities, and the full scope of the in-the-wild exploitation remain unclear, as does whether current attacks are leveraging the full exploit chain.
Users are strongly advised to update LiteLLM to version 1.83.7 or later and Starlette to version 1.0.1 or later to mitigate these risks. For organizations unable to patch immediately, CISA recommends blocking the vulnerable POST endpoints at the reverse proxy or API gateway, restricting network access to trusted segments, rotating credentials stored by the proxy, and diligently reviewing logs for suspicious Host header activity and subprocess execution events.
This incident follows closely on the heels of another critical vulnerability in LiteLLM, CVE-2026-42208, a SQL injection flaw that also saw active exploitation within 36 hours of its public disclosure. The repeated discovery of critical vulnerabilities in widely used AI infrastructure components underscores the growing need for robust security practices in the rapidly evolving AI landscape.
This new report details how threat actors are actively exploiting a chained vulnerability in LiteLLM, combining CVE-2026-42271 (command injection) with CVE-2026-48710 (Starlette host header bypass). This chain allows for unauthenticated remote code execution with the privileges of the LiteLLM process, enabling theft of API keys and lateral movement within AI infrastructure.