Back

Critical Unauthenticated RCE Vulnerability in LiteLLM Exploited in the Wild

Severity: Critical (Score: 86.0)

Sources: www.infoworld.com, Letsdatascience, Aiweekly.Co, Feeds2.Feedburner, Cybersecuritynews

Published: 2026-06-09 · Updated: 2026-06-09

Keywords: litellm, vulnerability, cisa, cve-2026-42271, exploiting, open-source, gateway

Severity indicators: vulnerability, rce, CVE:CVE-2026-42271, CVE:CVE-2026-42271, CVE:CVE-2026-42271

Summary

A critical command injection vulnerability, CVE-2026-42271, in LiteLLM, an open-source AI gateway, allows unauthenticated remote code execution (RCE) when chained with CVE-2026-48710, a Host header validation bypass in Starlette. This exploit affects LiteLLM versions 1.74.2 to 1.83.6, with the U.S. Cybersecurity and Infrastructure Security Agency (CISA) adding it to its Known Exploited Vulnerabilities catalog on 2026-06-08. Attackers can execute arbitrary commands on the host system without authentication, posing severe risks to AI infrastructures. The vulnerability was first disclosed on 2026-05-08, with public proof-of-concept code available since 2026-05-20. The attack surface is particularly attractive to cybercriminals targeting sensitive model provider credentials. Organizations are urged to upgrade to LiteLLM version 1.83.7 and Starlette version 1.0.1 to mitigate the risk. Key Points: • CVE-2026-42271 allows unauthenticated RCE when combined with CVE-2026-48710. • CISA added CVE-2026-42271 to its Known Exploited Vulnerabilities catalog on 2026-06-08. • Affected LiteLLM versions range from 1.74.2 to 1.83.6; patch available in version 1.83.7.

Detailed Analysis

**Impact** Organizations using LiteLLM versions 1.74.2 through 1.83.6 are affected globally, including enterprises and developers relying on AI gateway proxies to manage large language model APIs. Exploitation enables full system compromise, credential theft (including cached model-provider API keys), lateral movement, and potential disruption of AI infrastructure. The vulnerability is actively exploited in the wild and has been added to CISA’s Known Exploited Vulnerabilities catalog, indicating confirmed incidents and broad targeting of AI-related environments. **Technical Details** The attack chain involves CVE-2026-42271, a command injection vulnerability in LiteLLM’s MCP test endpoints (/mcp-rest/test/connection and /mcp-rest/test/tools/list), combined with CVE-2026-48710, a Host header validation bypass in Starlette versions ≤ 1.0.0. This chain allows unauthenticated remote code execution by bypassing API key authentication. Attackers send crafted HTTP POST requests with malicious server configurations that spawn arbitrary subprocesses under the proxy process privileges. Indicators include unusual Host headers and subprocess execution on proxy hosts. The vulnerability affects deployments running the proxy process as root by default, increasing risk. **Recommended Response** Apply LiteLLM version 1.83.7 or later, which restricts access to the affected endpoints to the PROXY_ADMIN role and updates Starlette to version 1.0.1 or higher. Monitor network telemetry for POST requests to /mcp-rest/test/connection and /mcp-rest/test/tools/list with unexpected Host headers or stdio transport payloads. Deploy detections for anomalous subprocess executions and malformed Host headers. Validate exposure using available safe testing tools such as the NodeZero Rapid Response test. Maintain vigilance on CISA alerts and vendor advisories for further updates.

Source articles (11)

  • Hackers Exploiting LiteLLM RCE Vulnerability in the Wild to Run Arbitrary Commands — Cybersecuritynews · 2026-06-09
    Threat actors are actively exploiting a critical chained vulnerability in LiteLLM, a popular open-source AI gateway proxy, allowing unauthenticated remote code execution (RCE) on vulnerable deployment…
  • LiteLLM vulnerability under active attack, CISA warns (CVE-2026-42271) — Feeds2.Feedburner · 2026-06-09
    A command injection vulnerability (CVE-2026-42271) in BerryAI’s LiteLLM open-source AI gateway is being exploited by attackers, the US Cybersecurity and Infrastructure Security Agency (CISA) confirmed…
  • LiteLLM Vulnerability Allows Attackers to Execute Arbitrary Commands on Servers — Gbhackers · 2026-06-09
    A critical vulnerability chain affecting LiteLLM has been identified, enabling unauthenticated remote code execution (RCE) on exposed servers. Tracked as CVE-2026-42271 and chained to CVE-2026-48710,…
  • LiteLLM Vulnerability Enables Unauthenticated Remote Code Execution — Letsdatascience · 2026-06-09
    Researchers at Horizon3.ai disclosed a vulnerability chain that turns a LiteLLM command-injection bug, CVE-2026-42271 (rated CVSS 8.7 on its own), into unauthenticated remote code execution when chain…
  • Active Exploitation Alert: CVE-2026-42271 and CVE-2026-48710 — Rescana · 2026-06-09
    CVE-2026-42271 is a critical command injection vulnerability affecting the LiteLLM open-source AI gateway and Python SDK, developed by BerriAI . This flaw enables authenticated users to execute arbitr…
  • LiteLLM Flaw Chains to CVSS 10 Unauthenticated RCE — Aiweekly.Co · 2026-06-09
    First-party attack research validating the chain mechanics; confirms Starlette versions up to 1.0.0 strip authentication entirely from LiteLLM's command injection endpoint. Vulnerability database entr…
  • CVE-2026-42271 Chained with CVE-2026-48710 — horizon3.ai · 2026-06-09
    CVE-2026-42271 is a command injection vulnerability in LiteLLM’s MCP server test endpoints that was originally disclosed as requiring authentication. Horizon3.ai researchers confirmed that when chaine…
  • CVE-2026-42271 — nvd.nist.gov · 2026-06-09
    LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. From version 1.74.2 to before version 1.83.7, two endpoints used to preview an MCP server before saving it — POST…
  • Cve 2026 42271 — www.sentinelone.com · 2026-06-09
    CVE-2026-42271 is a command injection vulnerability in LiteLLM, an open-source proxy server (AI Gateway) that exposes large language model APIs in OpenAI-compatible format. The flaw affects versions f…
  • GitHub Security Advisories — github.com · 2026-06-09
  • Fastapi Based Ai Tools Exposed To Authentication Bypass By Flaw In Starlette Framework 2 — www.infoworld.com · 2026-06-09

Timeline

  • 2026-05-08 — CVE-2026-42271 published: A command injection vulnerability in LiteLLM was disclosed, affecting versions 1.74.2 to 1.83.6.
  • 2026-05-20 — First public PoC released: Public proof-of-concept code for CVE-2026-42271 became available, facilitating exploitation.
  • 2026-05-26 — CVE-2026-48710 published: A Host header validation bypass vulnerability in Starlette was disclosed, enabling exploitation of LiteLLM.
  • 2026-06-08 — CISA adds CVE-2026-42271 to KEV: CISA confirmed active exploitation of CVE-2026-42271 and added it to the Known Exploited Vulnerabilities catalog.
  • 2026-06-09 — Patches released: LiteLLM version 1.83.7 was released to address the vulnerabilities, restricting access to critical endpoints.

CVEs

  • CVE-2026-42271
  • CVE-2026-48710

Related entities

  • Remote Code Execution (Attack Type)
  • Zero-day Exploit (Attack Type)
  • CWE-200 - Exposure of Sensitive Information (Cwe)
  • CWE-287 - Improper Authentication (Cwe)
  • CWE-77 - Command Injection (Cwe)
  • CWE-78 - OS Command Injection (Cwe)
  • CWE-862 - Missing Authorization (Cwe)
  • Cwe-89 - SQL Injection (Cwe)
  • CWE-94 - Code Injection (Cwe)
  • horizon3.ai (Domain)
  • rescana.com (Domain)
  • [email protected] (Email)
  • Healthcare (Industry)
  • Technology (Industry)
  • T1041 - Exfiltration Over C2 Channel (Mitre Attack)
  • T1059 - Command and Scripting Interpreter (Mitre Attack)
  • T1190 - Exploit Public-Facing Application (Mitre Attack)
  • T1505.003 - Web Shell (Mitre Attack)
  • Gitea (Platform)
  • MCP (Platform)
  • Starlette (Platform)
  • VLLM (Platform)
  • LiteLLM (Tool)
  • Python (Tool)
  • NodeZero Rapid Response (Tool)
  • LiteLLM Vulnerability (Vulnerability)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed