LiteLLM Flaw CVE-2026-42271 Exploited in the Wild, Chains to Unauthorized RCE
The Cybersecurity and Infrastructure Security Agency (CISA) of the US on Monday added a critical feature affecting BerriA LiteLLM to its catalog known as Know Exploited Vulnerabilities (KEV), citing evidence of active exploitation.
Vulnerability, tracked as CVE-2026-42271 (CVSS score: 8.7), is an injection vulnerability that could allow any authorized user to execute arbitrary commands on the host.
It affects the following version of the LiteLLM Python package –
“The two endpoints used to preview the MCP server before saving it – POST /mcp-rest/test/connection and POST /mcp-rest/test/tools/list – accepted the complete server configuration from the request board, including the command, args, and env fields used by the stdio transport,” according to the bug description shared by BerriAI.
“When called with the stdio configuration, the endpoints attempted to connect, which revealed the given command as a child process on the proxy host with the permissions of the proxy process.”
The maintainers of the open-source AI gateway and Python SDK said that endpoints are protected only with a valid proxy API key, as a result of which any authorized user, including privileged internal user keys, can execute arbitrary commands on the affected system.
As part of the patches released in version 1.83.7, both test endpoints now require the PROXY_ADMIN role, making them compatible with the backup endpoint.
LiteLLM Unauthorized Remote Code Execution with Starlette Host Header Validation Bypass
Last week, Horizon3.ai said it patched CVE-2026-42271 with CVE-2026-48710 (CVSS score: 6.5), a “BadHost” header validation vulnerability affecting Starlette, a simple Asynchronous Server Gateway Interface (ASGI) framework that is vulnerable against Litex side code, to fully exploit the framework of the Asynchronous Server Gateway Interface (ASGI). shipment.
“CVE-2026-48710 can be used to completely bypass the authentication method in LiteLLM implementations whose dependency tree includes Starlette versions ≤ 1.0.0,” Horizon3.ai said. “This turns the vulnerability into unauthorized remote code execution without the required credentials.”
Successful exploit chain weapons can allow attackers to execute arbitrary commands on the LiteLLM host, access model provider credentials, siphon API keys and proxy-stored secrets, move towards connected AI infrastructure, and compromise downstream systems connected to the gateway.
According to Horizon3.ai, the chained vulnerability has a combined CVSS rating of 10.0, making it critical in nature.
There is currently no information on how the vulnerability is being exploited, the identity of the threat actors who instigated the efforts, the targets, how widespread this attack is, or if the activity has compromised any conditions. It is unclear whether the attacks seen in the wild use an exploit chain.
Users are advised to update LiteLLM to version 1.83.7 or later and Starlette to version 1.0.1 or later. If quick patching is not an option, the following is recommended:
- Block POST /mcp-rest/test/connection and POST /mcp-rest/test/tools/list on the backend proxy or API gateway.
- Restrict network access to trusted segments.
- Rotate the information stored by the proxy.
- Review the logs for unusual Host header activity and subprocess signature events.
The development comes a little more than a month after a critical SQL injection flaw in LiteLLM (CVE-2026-42208, CVSS score: 9.3) was subject to an active exploit within 36 hours of the bug becoming public knowledge.
