LiteLLM Flaw CVE-2026-42271 Exploited in the Wild, Chains to Unauthenticated RCE
The Hacker NewsArchived Jun 09, 2026✓ Full text saved
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday added a high-severity flaw impacting BerriAI LiteLLM to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation. The vulnerability, tracked as CVE-2026-42271 (CVSS score: 8.7), is a command injection vulnerability that could allow any authenticated user to run arbitrary commands on the
Full text archived locally
✦ AI Summary· Claude Sonnet
LiteLLM Flaw CVE-2026-42271 Exploited in the Wild, Chains to Unauthenticated RCE
Ravie LakshmananJun 09, 2026Vulnerability / Artificial Intelligence
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday added a high-severity flaw impacting BerriAI LiteLLM to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation.
The vulnerability, tracked as CVE-2026-42271 (CVSS score: 8.7), is a command injection vulnerability that could allow any authenticated user to run arbitrary commands on the host.
It affects the following version of the LiteLLM Python package -
>= 1.74.2
< 1.83.7
"Two endpoints used to preview an MCP server before saving it - POST /mcp-rest/test/connection and POST /mcp-rest/test/tools/list - accepted a full server configuration in the request body, including the command, args, and env fields used by the stdio transport," according to a description of the flaw shared by BerriAI.
"When called with a stdio configuration, the endpoints attempted to connect, which spawned the supplied command as a subprocess on the proxy host with the privileges of the proxy process."
The maintainers of the open-source AI gateway and Python SDK said the endpoints were secured only by means of a valid proxy API key, as a result of which any authenticated user, including privileged internal-user keys, could execute arbitrary commands on a susceptible system.
As part of the patches released in version 1.83.7, both the test endpoints now require the PROXY_ADMIN role, making it consistent with the save endpoint.
LiteLLM Unauthenticated Remote Code Execution via Starlette Host Header Validation Bypass
Last week, Horizon3.ai said it chained CVE-2026-42271 with CVE-2026-48710 (CVSS score: 6.5), a "BadHost" host header validation bypass vulnerability affecting Starlette, a lightweight Asynchronous Server Gateway Interface (ASGI) framework, to completely sidestep authentication and achieve remote code execution against vulnerable LiteLLM deployments.
"CVE-2026-48710 can be used to bypass the authentication mechanism entirely in LiteLLM deployments whose dependency tree includes Starlette versions ≤ 1.0.0," Horizon3.ai said. "This transforms the vulnerability into unauthenticated remote code execution with no credentials required."
Successful weaponization of the exploit chain could allow attackers to run arbitrary commands on the LiteLLM host, access model provider credentials, siphon API keys and secrets stored by the proxy, move laterally into connected AI infrastructure, and even compromise downstream systems integrated with the gateway.
Per Horizon3.ai, the chained vulnerability has a combined CVSS score of 10.0, making it critical in nature.
There is currently no information on how the vulnerability is being exploited, the identity of the threat actor(s) behind the efforts, who are targeted, how widespread these attacks are, or if the activity has successfully compromised any instances. It's also unclear if the attacks observed in the wild are leveraging the exploit chain.
Users are advised to update LiteLLM to version 1.83.7 or later and Starlette to version 1.0.1 or later. If immediate patching is not an option, the following mitigations are recommended -
Block POST /mcp-rest/test/connection and POST /mcp-rest/test/tools/list at the reverse proxy or API gateway.
Restrict network access to trusted segments.
Rotate credentials stored by the proxy.
Review logs for unusual Host header activity and subprocess execution events.
The development comes a little over a month after a critical SQL injection flaw in LiteLLM (CVE-2026-42208, CVSS score: 9.3) came under active exploitation within 36 hours of the bug becoming public knowledge.
Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.
SHARE
Tweet
Share
Share
SHARE
API Security, artificial intelligence, CISA, Command Injection, cybersecurity, LiteLLM, remote code execution, Vulnerability
⚡ Top Stories This Week
Attackers Use LLM Agent for Post-Exploitation After Marimo CVE-2026-39987 Exploit
⚡ Weekly Recap: New Linux Flaw, PAN-OS Exploit, AI-Powered Attacks, OAuth Phishing and More
AI Chatbot Recommendations Redirect Users to Cryptojacking Malware Sites
PAN-OS GlobalProtect Authentication Bypass (CVE-2026-0257) Under Active Exploitation
GlassWorm Malware Takedown Disrupts Developer Supply Chain Attack Infrastructure
Threat Actors Exploit Critical FortiClient EMS Flaw to Deploy Credential Stealer
Microsoft Patches SharePoint RCE Flaw CVE-2026-45659 Across Server Versions
OpenAI Codex Authentication Tokens Stolen in codexui-android npm Supply Chain Attack
ChatGPhish Vulnerability Turns ChatGPT Web Summaries Into a Phishing Surface
ThreatsDay Bulletin: Claude Security Plugin, Azure Priv-Esc, Kali365 MFA Bypass, FIFA Scams +15 More
Oracle WebLogic CVE-2024-21182 Added to KEV Catalog After Active Exploitation
Dashlane Discloses Brute-Force Attack, Encrypted Vaults of Fewer Than 20 Users Downloaded
Google June 2026 Android Update Patches 124 Flaws, One Actively Exploited
Miasma Supply Chain Attack Compromises Red Hat npm Packages with Credential-Stealing Worm
Malicious npm Package Stole Files From Claude AI User Directory via GitHub
Microsoft Slams Public Zero-Day Disclosures Amid GitHub Researcher Account Removal
Load More ▼
⭐ Featured Resources
Watch AI Turn Vulnerabilities Into Working Exploits in Minutes (See the Demo)
[Guide] The Real Security Risks of Shadow AI (And Where You’re Exposed)
Learn How to Stop Attacks Before They Reach Your EDR – With PHASR
Your Employees Are Using AI in Ways You Can’t See – 2026 State of AI Report