Overview A new high‑severity vulnerability in BerriAI LiteLLM, tracked as CVE‑2026‑42271, has entered active exploitation according to the U.S. Cybersecurity and Infrastructure Security Agency (CISA). The flaw, rated CVSS 8.7, enables command injection that allows authenticated users to execute arbitrary commands on the host system. When chained with a secondary bug in Starlette, the impact escalates to unauthenticated remote code execution (RCE) — a critical threat for AI infrastructure worldwide.
Vulnerability Details
The flaw affects LiteLLM versions ≥ 1.74.2 and < 1.83.7, specifically two endpoints used to preview MCP servers before saving configurations:
| Endpoint | Risk | Description |
|---|---|---|
| POST /mcp‑rest/test/connection | Command Injection | Accepts full server configuration including command and args fields |
| POST /mcp‑rest/test/tools/list | Privilege Escalation | Spawns subprocess on proxy host with proxy process privileges |
Because these endpoints were secured only by a valid proxy API key, any authenticated user — including internal keys — could trigger arbitrary command execution.
Exploit Chain — LiteLLM + Starlette
Researchers at Horizon3.ai demonstrated that CVE‑2026‑42271 can be chained with CVE‑2026‑48710, a BadHost header validation bypass in Starlette ≤ 1.0.0, to completely sidestep authentication.
| Exploit Stage | Component | Impact |
|---|---|---|
| Host Header Bypass | Starlette ≤ 1.0.0 | Authentication circumvention |
| Command Injection | LiteLLM Proxy | Arbitrary command execution |
| Chained RCE | Combined Exploit | Full unauthenticated RCE (CVSS 10.0) |
Successful exploitation grants attackers complete control over the LiteLLM host, exposing model provider credentials, API keys, and downstream AI systems integrated with the gateway.
Mitigation and Patch Guidance
To secure affected deployments:
- Update LiteLLM to version 1.83.7 or later.
- Update Starlette to version 1.0.1 or later.
- Block vulnerable endpoints (
/mcp‑rest/test/connectionand/mcp‑rest/test/tools/list) at the reverse proxy. - Restrict network access to trusted segments only.
- Rotate stored credentials immediately.
- Review logs for Host header anomalies and subprocess execution events.
Context and Precedent
This incident follows the LiteLLM SQL Injection flaw (CVE‑2026‑42208) disclosed in April 2026, which was exploited within 36 hours of public release. The recurrence of critical vulnerabilities in LiteLLM underscores the growing attack surface of AI middleware and proxy gateways.
Expert in the Cloud Insight
The LiteLLM exploit chain demonstrates how AI infrastructure vulnerabilities can cascade into full system compromise. As AI gateways become central to enterprise operations, security validation must extend to dependencies like Starlette and FastAPI.
For security leaders, the lesson is clear: AI middleware requires continuous code auditing, dependency tracking, and rapid patch deployment.
Leave a Reply