The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday added a high-severity flaw impacting BerriAI LiteLLM to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation.
The vulnerability, tracked as CVE-2026-42271 (CVSS score: 8.7), is a command injection vulnerability that could allow any authenticated user to run arbitrary commands on the host.
It affects the following version of the LiteLLM Python package –
“Two endpoints used to preview an MCP server before saving it – POST /mcp-rest/test/connection and POST /mcp-rest/test/tools/list – accepted a full server configuration in the request body, including the command, args, and env fields used by the stdio transport,” according to a description of the flaw shared by BerriAI.
“When called with a stdio configuration, the endpoints attempted to connect, which spawned the supplied command as a subprocess on the proxy host with the privileges of the proxy process.”
The maintainers of the open-source AI gateway and Python SDK said the endpoints were secured only by means of a valid proxy API key, as a result of which any authenticated user, including privileged internal-user keys, could execute arbitrary commands on a susceptible system.
As part of the patches released in version 1.83.7, both the test endpoints now require the PROXY_ADMIN role, making it consistent with the save endpoint.
LiteLLM Unauthenticated Remote Code Execution via Starlette Host Header Validation Bypass
Last week, Horizon3.ai said it chained CVE-2026-42271 with CVE-2026-48710 (CVSS score: 6.5), a “BadHost” host header validation bypass vulnerability affecting Starlette, a lightweight Asynchronous Server Gateway Interface (ASGI) framework, to completely sidestep authentication and achieve remote code execution against vulnerable LiteLLM deployments.
“CVE-2026-48710 can be used to bypass the authentication mechanism entirely in LiteLLM deployments whose dependency tree includes Starlette versions ≤ 1.0.0,” Horizon3.ai said. “This transforms the vulnerability into unauthenticated remote code execution with no credentials required.”
Successful weaponization of the exploit chain could allow attackers to run arbitrary commands on the LiteLLM host, access model provider credentials, siphon API keys and secrets stored by the proxy, move laterally into connected AI infrastructure, and even compromise downstream systems integrated with the gateway.
Per Horizon3.ai, the chained vulnerability has a combined CVSS score of 10.0, making it critical in nature.
There is currently no information on how the vulnerability is being exploited, the identity of the threat actor(s) behind the efforts, who are targeted, how widespread these attacks are, or if the activity has successfully compromised any instances. It’s also unclear if the attacks observed in the wild are leveraging the exploit chain.
Users are advised to update LiteLLM to version 1.83.7 or later and Starlette to version 1.0.1 or later. If immediate patching is not an option, the following mitigations are recommended –
- Block POST /mcp-rest/test/connection and POST /mcp-rest/test/tools/list at the reverse proxy or API gateway.
- Restrict network access to trusted segments.
- Rotate credentials stored by the proxy.
- Review logs for unusual Host header activity and subprocess execution events.
The development comes a little over a month after a critical SQL injection flaw in LiteLLM (CVE-2026-42208, CVSS score: 9.3) came under active exploitation within 36 hours of the bug becoming public knowledge.
