AI Threat Alert

CVE-2026-42271: LiteLLM: RCE via MCP test endpoint command injection

HIGH ACTIVELY EXPLOITED NUCLEI TEMPLATE CISA: ACT
Published May 8, 2026
CISO Take

LiteLLM's MCP server testing endpoints accept arbitrary stdio command configurations and spawn them as subprocesses on the proxy host without any role check — any holder of a low-privilege internal-user API key can execute arbitrary OS commands. For organizations running LiteLLM as their AI gateway, the blast radius is severe: the proxy typically holds API keys for every LLM provider in your stack, and full RCE means an attacker walks away with all of them. The package carries 18 CVEs in its history and an OpenSSF score of only 6.2/10, indicating structural security debt; while EPSS sits at 0.00047 with no observed exploitation, the trivially-low barrier (any valid API key, single POST request) makes that window short. Upgrade to LiteLLM 1.83.7 immediately, or block POST /mcp-rest/test/ endpoints at your reverse proxy layer until you can patch.

Sources: NVD GitHub Advisory EPSS OpenSSF ATLAS

What is the risk?

High risk for any LiteLLM deployment exposed to untrusted users or multi-tenant API key holders. The attack requires only a valid API key with no admin role — CVSS 8.8 accurately reflects the low complexity and low privilege requirements. The proxy host is a high-value target given its access to all configured LLM provider credentials, request/response logs containing potentially sensitive prompts, and internal network positioning. Seventeen prior CVEs in the same package suggest a recurring pattern of insufficient input validation.

How does the attack unfold?

Credential Access
Attacker obtains any valid low-privilege LiteLLM internal-user API key via code repository leak, insider threat, or credential theft from a developer workstation.
AML.T0012
Exploitation
Attacker sends a single authenticated POST to /mcp-rest/test/connection with a crafted JSON body specifying stdio transport and an arbitrary OS command (e.g., reverse shell one-liner).
AML.T0049
Command Execution
LiteLLM proxy spawns the supplied command as an OS subprocess with proxy-process privileges, granting the attacker arbitrary code execution on the host.
AML.T0050
Credential Harvesting & Lateral Movement
Attacker reads proxy environment variables and config files to harvest all LLM provider API keys, enabling full impersonation of the victim's AI infrastructure and lateral movement to internal services.
AML.T0055

What systems are affected?

Package Ecosystem Vulnerable Range Patched
LiteLLM pip No patch
51.0K OpenSSF 6.1 6 dependents Pushed 2d ago 38% patched ~38d to patch Full package profile →

Do you use LiteLLM? You're affected.

How severe is it?

CVSS 3.1
8.8 / 10
EPSS
53.7%
chance of exploitation in 30 days
Higher than 99% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Actively Exploited
CISA KEV
Sophistication
Trivial
Exploitation Confidence
high
CISA KEV (active exploitation confirmed) — Jun 2026
CISA SSVC: Active exploitation
Nuclei detection template available
EPSS exploit prediction: 54%
Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR Low
UI None
S Unchanged
C High
I High
A High

What should I do?

6 steps

  1. Patch: Upgrade litellm to ≥1.83.7 immediately.

  2. If patching is not possible: block POST /mcp-rest/test/connection and POST /mcp-rest/test/tools/list at the WAF or reverse proxy layer.

  3. Audit all API key holders and revoke keys issued to untrusted or external parties.

  4. Rotate all LLM provider API keys configured in the proxy as a precaution if prior exploitation cannot be ruled out.

  5. Detection: Review proxy logs for POST requests to /mcp-rest/test/ endpoints containing command, args, or env fields in the request body.

  6. Harden the proxy process to run as a non-root user with a restricted filesystem and outbound network controls to limit post-exploitation impact.

What does CISA's SSVC say?

Decision Act
Exploitation active
Automatable No
Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Code Execution Auth Bypass Framework API Inference AML.T0012 AML.T0049 AML.T0050 AML.T0055 AML.T0072

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Art. 15 - Accuracy, robustness and cybersecurity Art. 9 - Risk management system
ISO 42001
A.6.1.2 - AI risk assessment A.9.1 - Access control for AI systems
NIST AI RMF
MANAGE 2.2 - Mechanisms for AI risk response
OWASP LLM Top 10
LLM06 - Excessive Agency

How many AI incidents are linked? (1)

LiteLLM CVE-2026-42271 actively exploited in the wild
Jun 2026 BerriAI code execution high confidence

CISA added a command injection flaw in BerriAI LiteLLM to its KEV catalog after confirming active in-the-wild exploitation leading to unauthenticated remote code execution.

The Hacker News

AI Threat Alert incident classification, derived from public security reporting. Each item links to its original source.

Frequently Asked Questions

What is CVE-2026-42271?

LiteLLM's MCP server testing endpoints accept arbitrary stdio command configurations and spawn them as subprocesses on the proxy host without any role check — any holder of a low-privilege internal-user API key can execute arbitrary OS commands. For organizations running LiteLLM as their AI gateway, the blast radius is severe: the proxy typically holds API keys for every LLM provider in your stack, and full RCE means an attacker walks away with all of them. The package carries 18 CVEs in its history and an OpenSSF score of only 6.2/10, indicating structural security debt; while EPSS sits at 0.00047 with no observed exploitation, the trivially-low barrier (any valid API key, single POST request) makes that window short. Upgrade to LiteLLM 1.83.7 immediately, or block POST /mcp-rest/test/ endpoints at your reverse proxy layer until you can patch.

Is CVE-2026-42271 actively exploited?

Yes, CVE-2026-42271 is confirmed actively exploited and listed in CISA Known Exploited Vulnerabilities catalog since Mon Jun 08 2026 00:00:00 GMT+0000 (Coordinated Universal Time).

How to fix CVE-2026-42271?

1. Patch: Upgrade litellm to ≥1.83.7 immediately. 2. If patching is not possible: block POST /mcp-rest/test/connection and POST /mcp-rest/test/tools/list at the WAF or reverse proxy layer. 3. Audit all API key holders and revoke keys issued to untrusted or external parties. 4. Rotate all LLM provider API keys configured in the proxy as a precaution if prior exploitation cannot be ruled out. 5. Detection: Review proxy logs for POST requests to /mcp-rest/test/ endpoints containing command, args, or env fields in the request body. 6. Harden the proxy process to run as a non-root user with a restricted filesystem and outbound network controls to limit post-exploitation impact.

What systems are affected by CVE-2026-42271?

This vulnerability affects the following AI/ML architecture patterns: AI gateway / LLM proxy deployments, Multi-tenant LLM API routing infrastructure, Agent frameworks using LiteLLM as backend router, Enterprise AI API management platforms, MCP server integrations.

What is the CVSS score for CVE-2026-42271?

CVE-2026-42271 has a CVSS v3.1 base score of 8.8 (HIGH). The EPSS exploitation probability is 53.70%.

What is the AI security impact?

Affected AI Architectures

AI gateway / LLM proxy deploymentsMulti-tenant LLM API routing infrastructureAgent frameworks using LiteLLM as backend routerEnterprise AI API management platformsMCP server integrations

MITRE ATLAS Techniques

AML.T0012 Valid Accounts
AML.T0049 Exploit Public-Facing Application
AML.T0050 Command and Scripting Interpreter
AML.T0055 Unsecured Credentials
AML.T0072 Reverse Shell

Compliance Controls Affected

EU AI Act: Art. 15, Art. 9
ISO 42001: A.6.1.2, A.9.1
NIST AI RMF: MANAGE 2.2
OWASP LLM Top 10: LLM06

What are the technical details?

Original Advisory

LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. From version 1.74.2 to before version 1.83.7, two endpoints used to preview an MCP server before saving it — POST /mcp-rest/test/connection and POST /mcp-rest/test/tools/list — accepted a full server configuration in the request body, including the command, args, and env fields used by the stdio transport. When called with a stdio configuration, the endpoints attempted to connect, which spawned the supplied command as a subprocess on the proxy host with the privileges of the proxy process. The endpoints were gated only by a valid proxy API key, with no role check. Any authenticated user — including holders of low-privilege internal-user keys — could therefore run arbitrary commands on the host. This issue has been patched in version 1.83.7.

Exploitation Scenario

An attacker with a low-privilege LiteLLM internal-user API key — obtained via a leaked key in a code repository, insider access, or credential stuffing — sends a single POST to /mcp-rest/test/connection with a JSON body specifying stdio transport and a malicious command (e.g., curl-piped reverse shell). LiteLLM spawns this as an OS subprocess at proxy-process privilege level. The attacker receives a shell on the proxy host, reads environment variables and config files to harvest all LLM provider API keys (OpenAI, Anthropic, Azure, etc.), and pivots to internal services reachable from the proxy network. The entire AI infrastructure is now impersonatable by the adversary.

Weaknesses (CWE)

CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection') Primary CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') Primary CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection') CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

CWE-77 — Improper Neutralization of Special Elements used in a Command ('Command Injection'): The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.

  • [Architecture and Design] If at all possible, use library calls rather than external processes to recreate the desired functionality.
  • [Implementation] If possible, ensure that all external commands called from the program are statically created.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References

Timeline

Published
May 8, 2026
Last Modified
June 9, 2026
First Seen
May 8, 2026

Scanner Template Available

A Nuclei vulnerability scanner template exists for this CVE. You can scan your infrastructure for this vulnerability immediately.

View template on GitHub
nuclei -t http/cves/2026/CVE-2026-42271.yaml -u https://target.example.com

Related Vulnerabilities

CRITICAL CVE-2026-42208 9.8

LiteLLM: SQL injection exposes LLM API credentials

Same package: litellm
CRITICAL CVE-2026-54352 9.6

Budibase: zip symlink bypass exposes all server secrets

Same package: litellm
CRITICAL CVE-2026-35030 9.1

LiteLLM: auth bypass via JWT cache key collision

Same package: litellm
HIGH CVE-2026-40217 8.8

LiteLLM: RCE via bytecode rewriting in guardrails API

Same package: litellm
HIGH CVE-2024-6825 8.8

LiteLLM: RCE via post_call_rules callback injection

Same package: litellm
Back to Threat Feed