CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership Jun 09, 2026

Hackers Exploiting LiteLLM RCE Vulnerability in the Wild to Run Arbitrary Commands

Cybersecurity News Archived Jun 09, 2026 ✓ Full text saved

Threat actors are actively exploiting a critical chained vulnerability in LiteLLM, a popular open-source AI gateway proxy, allowing unauthenticated remote code execution (RCE) on vulnerable deployments. Researchers at Horizon3.ai confirmed that combining two CVEs creates a CVSS 10.0 Critical attack path requiring zero credentials. At the core of this threat is CVE-2026-42271, a command injection […] The post Hackers Exploiting LiteLLM RCE Vulnerability in the Wild to Run Arbitrary Commands appea

Full text archived locally
✦ AI Summary · Claude Sonnet


    HomeCyber Security Hackers Exploiting LiteLLM RCE Vulnerability in the Wild to Run Arbitrary Commands By Guru Baran June 9, 2026 Threat actors are actively exploiting a critical chained vulnerability in LiteLLM, a popular open-source AI gateway proxy, allowing unauthenticated remote code execution (RCE) on vulnerable deployments. Researchers at Horizon3.ai confirmed that combining two CVEs creates a CVSS 10.0 Critical attack path requiring zero credentials. At the core of this threat is CVE-2026-42271, a command injection flaw in LiteLLM’s Model Context Protocol (MCP) server test endpoints. Specifically, the following endpoints accept full server configurations including commands, arguments, and environment variables — and spawn the supplied input as a subprocess on the host: POST /mcp-rest/test/connection POST /mcp-rest/test/tools/list When initially disclosed on April 20, 2026, the flaw was considered limited in impact because access required a valid proxy API key. That assumption was dismantled when Horizon3.ai researchers chained it with CVE-2026-48710, a Starlette “BadHost” Host Header validation bypass affecting Starlette versions 1.0.0 and earlier. By manipulating the HTTP Host header to exploit the Starlette authentication bypass, attackers can sidestep LiteLLM’s API key requirement entirely. The result is that unauthenticated remote code execution commands execute with the same privileges as the LiteLLM proxy process, with no login or API key required. Affected versions span LiteLLM 1.74.2 through 1.83.6 on deployments whose dependency tree includes Starlette ≤ 1.0.0. LiteLLM RCE Vulnerability Exploited Successful exploitation of this chained vulnerability gives attackers significant reach into AI infrastructure. Once code execution is achieved, threat actors can: Execute arbitrary OS commands on the LiteLLM host Steal API keys and model provider credentials stored by the proxy Access secrets and environment variables in the proxy process Move laterally into connected AI infrastructure and downstream systems Given that LiteLLM is widely used to route and manage API calls to large language models (LLMs) from providers like OpenAI, Anthropic, and Azure, a compromise of the gateway layer can cascade into broader AI supply chain exposure. Indicators of Compromise Security teams should monitor for the following signs of exploitation activity: Unexpected subprocess execution originating from the LiteLLM process HTTP requests targeting /mcp-rest/test/connection or /mcp-rest/test/tools/list Unusual or malformed Host header values in proxy logs Unauthorized command execution events on the host system Organizations should immediately upgrade LiteLLM to version 1.83.7 or later and ensure Starlette is updated to version 1.0.1 or later. If patching cannot be applied immediately, defenders should: Block external access to the MCP test endpoints Restrict proxy network access to trusted segments only Rotate all credentials and API keys stored by the proxy Review logs for anomalous Host header values and subprocess events Given active in-the-wild exploitation, patching should be treated as an emergency priority for any organization running a self-hosted LiteLLM deployment. Follow us on Google News, LinkedIn, and X to Get More Instant Updates. Tags cyber security cyber security news vulnerability Copy URL Linkedin Twitter ReddIt Telegram Guru Baranhttps://cybersecuritynews.com Gurubaran KS is a cybersecurity analyst, and Journalist with a strong focus on emerging threats and digital defense strategies. He is the Co-Founder and Editor-in-Chief of Cyber Security News, where he leads editorial coverage on global cybersecurity developments. Trending News Critical Hugging Face Transformers Vulnerability Enables Remote Code Execution Attacks Instagram Fixes Password Reset Flaw That Exposes User Emails and Phone Numbers Google Chrome 0-Day Vulnerability Exploited in the Wild — Update Now Hackers Use YouTube and SEO Poisoning to Spread WeedHack Minecraft Malware Apache HTTP Server 2.4.68 Released With Fix For Use-After-Free, DoS, XSS, and Buffer Overflow Flaws Latest News Cyber Security Google Chrome 0-Day Vulnerability Exploited in the Wild — Update Now Cyber Security News New Weedhack Malware-as-a-Service Targets Minecraft Players to Steal Credentials, and Hijack Accounts Cyber Security News New NFCShare Android Malware Delivered via Weaponized Versions of Egitimate Banking Apps Cyber Security Microsoft Defender Now Monitors RPC Protocol Abuse by Hackers Cyber Security SAP Security Patch Day – Critical Vulnerabilities in SAP NetWeaver Patched
    💬 Team Notes
    Article Info
    Source
    Cybersecurity News
    Category
    ◇ Industry News & Leadership
    Published
    Jun 09, 2026
    Archived
    Jun 09, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗