Startseite | Blog | Top 7 Things to Know About the LiteLLM CVE-2026-42271 Exploit

Top 7 Things to Know About the LiteLLM CVE-2026-42271 Exploit

Geschrieben von: Benedicte Matran

4 min lesen - Juni 9, 2026

CISA added CVE-2026-42271, a command injection flaw in LiteLLM, to its Known Exploited Vulnerabilities catalog this morning. Researchers at Horizon3.ai have confirmed a chained exploit path that achieves unauthenticated remote code execution with no credentials required.

Here is what you need to know.

1. What LiteLLM is and why it’s a target

LiteLLM is an open-source proxy that exposes large language model (LLM) APIs in an OpenAI-compatible format, sitting between your applications and your AI providers such as OpenAI, Anthropic, and Mistral, routing requests, managing API keys, and enforcing rate limits. Many organisations running self-hosted AI infrastructure use it as a central gateway, which makes it one of the more sensitive components in the modern AI stack.

That position also makes it a credential aggregator, because a single compromised LiteLLM instance can expose API keys for every model provider it connects to simultaneously. That is precisely what makes this vulnerability worth understanding quickly, and why threat actors are already exploiting it.

2. The core flaw: command injection in MCP test endpoints

CVE-2026-42271 carries a CVSS score of 8.7 (High) and is a command injection flaw in LiteLLM’s Model Context Protocol (MCP) server preview endpoints. Two endpoints, POST /mcp-rest/test/connection und POST /mcp-rest/test/tools/list, were designed to let users preview an MCP server configuration before saving it, but both accepted a full server configuration in the request body, including command, argsund env fields used by the stdio transport.

When called, they spawned that input as a subprocess on the proxy host with the full privileges of the proxy process and no validation or sandboxing of any kind. Any authenticated user holding even a low-privilege API key could send a crafted POST request and execute arbitrary commands directly on the host.

Affected versions: LiteLLM 1.74.2 through 1.83.6.

3. The chain that removed the authentication requirement

On its own, CVE-2026-42271 required at least a valid API key, which is serious but limited by access controls in well-managed environments. Researchers at Horizon3.ai then chained it with CVE-2026-48710 (CVSS 6.5), a host header validation bypass in Starlette, the ASGI framework that LiteLLM depends on.

Starlette versions at or below 1.0.0 fail to validate the Host header correctly, which allows an attacker to bypass LiteLLM’s authentication layer entirely without any credentials. Combined, the two CVEs produce a CVSS 10.0 Critical attack path requiring no login, no API key, and no prior access to the environment whatsoever.

4. What an attacker gets once inside

Successful exploitation gives an attacker code execution as the LiteLLM proxy process, and from that position the potential damage extends well beyond the host itself. An attacker can execute arbitrary commands on the LiteLLM host, access model provider credentials across every connected AI service, extract API keys and secrets stored by the proxy, move laterally into connected AI infrastructure, and reach downstream systems that are integrated with the gateway.

For organisations routing production AI workloads through LiteLLM, this means every API key the proxy holds is at risk, along with whatever internal network access the proxy process carries. Given how deeply AI infrastructure is now embedded in production pipelines, that access can be far more valuable than it might first appear.

5. The timeline: 50 Days from disclosure to active exploitation

  • April 20, 2026 — CVE-2026-42271 disclosed as a command injection flaw in LiteLLM MCP test endpoints
  • May 8, 2026 — LiteLLM published fixes in version 1.83.7, adding authorisation controls and updated Starlette dependencies
  • May 26, 2026 — Public disclosure of CVE-2026-48710 (“BadHost”), detailing host header bypass vulnerabilities in Starlette-based applications
  • June 1, 2026 — Horizon3.ai confirmed the chained unauthenticated RCE path against affected deployments
  • June 9, 2026 — CISA added CVE-2026-42271 to the KEV catalog, citing confirmed active exploitation in the wild

The patch for CVE-2026-42271 was available from May 8. Confirmed attacks followed within five weeks of that patch being published, which leaves a very narrow window for teams that have not yet applied it.

6. The Qilin connection

The KEV listing tags this vulnerability to the Qilin ransomware group, and the connection is worth understanding in context. CybelAngel has been tracking Qilin closely, and our full profile of the group details how it operates as a mature ransomware-as-a-service (RaaS) platform that claimed over 1,000 victims in 2025 alone, putting it among the most active groups on the market.

This week, Check Point also linked Qilin to active VPN zero-day attacks, reinforcing a pattern of the group expanding its initial access methods beyond traditional phishing and credential theft. Targeting an AI gateway proxy fits that pattern directly: it gives Qilin immediate access to billable AI API keys and a lateral movement path into the broader network, without needing to compromise a user account first. You can read more about how Qilin and similar groups are driving the 2026 ransomware surge and what sectors are bearing the most risk.

7. Remediation: two packages, both need updating

The fix addresses both components of the exploit chain and is straightforward to apply, but both parts are required.

Upgrade immediately to:

  • LiteLLM version 1.83.7 or later
  • Starlette version 1.0.1 or later

Verify the fix by confirming that POST requests to the MCP test endpoints no longer accept command, args, oder env fields in the request body.

Audit your logs for unexpected child processes spawned by the LiteLLM proxy process (especially shells like sh oder Bash, interpreters like python oder node, or network tools like curl, wget, oder nc), outbound connections originating from proxy subprocesses to untrusted destinations, and anomalous access patterns on /mcp-rest/test/ endpoints.

Rotate credentials stored in the proxy as a precaution, even if you have not yet seen evidence of active exploitation in your environment. If your LiteLLM deployment is internet-facing and unpatched, that is the first task for today.

The wider pattern

AI infrastructure is now part of the attack surface, and this vulnerability is evidence of how quickly that shift is being exploited. LiteLLM, MCP servers, and AI gateway proxies are production systems holding sensitive credentials, and attackers have identified them as high-value targets that most security teams have not yet inventoried with the same rigour they apply to traditional infrastructure.

This is part of a broader trend that CybelAngel’s REACT team has been documenting in detail. Our 2026 supply chain risk report found that the fastest route into an enterprise today is increasingly through the software and services it depends on, and AI tooling is quickly becoming part of that surface. The Miasma supply chain attack from earlier this month is another example of how credential exposure in developer infrastructure goes unnoticed until it causes real damage.

Map what you are running. Patch what is exposed. If you want to know what your AI infrastructure looks like from the outside.

Talk to an analyst

Über den Autor

Benedicte Matran

Bénédicte Matran ist Marketingleiterin bei CybelAngel, einem Cybersecurity-SaaS-Unternehmen, das sich auf External Attack Surface Management spezialisiert hat. Sie verfügt über mehr als 10 Jahre Erfahrung in der B2B-Marketingleitung in den Bereichen Account-Based Marketing, Growth und Field Marketing. Mit Sitz in Paris ist sie Expertin für Enterprise Go-to-Market-Strategien, Demand Generation und die Skalierung von Marketingfunktionen in schnell wachsenden Technologieumgebungen.

lies alle Artikel