AI Threat Alert AI Threat Alert

GHSA-v4p8-mg3p-g94g

GHSA-v4p8-mg3p-g94g HIGH
Published April 25, 2026

### Impact Two endpoints used to preview an MCP server before saving it — `POST /mcp-rest/test/connection` and `POST /mcp-rest/test/tools/list` — accepted a full server configuration in the request body, including the `command`, `args`, and `env` fields used by the stdio transport. When called...

Full CISO analysis pending enrichment.

Affected Systems

Package Ecosystem Vulnerable Range Patched
litellm pip >= 1.74.2, < 1.83.7 1.83.7
43.8K OpenSSF 6.2 2.0K dependents Pushed 6d ago 59% patched ~43d to patch Full package profile →

Do you use litellm? You're affected.

Severity & Risk

CVSS 3.1
N/A
EPSS
N/A
Exploitation Status
No known exploitation
Sophistication
N/A

Recommended Action

Patch available

Update litellm to version 1.83.7

Compliance Impact

Compliance analysis pending. Sign in for full compliance mapping when available.

Frequently Asked Questions

What is GHSA-v4p8-mg3p-g94g?

LiteLLM: Authenticated command execution via MCP stdio test endpoints

Is GHSA-v4p8-mg3p-g94g actively exploited?

No confirmed active exploitation of GHSA-v4p8-mg3p-g94g has been reported, but organizations should still patch proactively.

How to fix GHSA-v4p8-mg3p-g94g?

Update to patched version: litellm 1.83.7.

What is the CVSS score for GHSA-v4p8-mg3p-g94g?

No CVSS score has been assigned yet.

Technical Details

NVD Description

### Impact Two endpoints used to preview an MCP server before saving it — `POST /mcp-rest/test/connection` and `POST /mcp-rest/test/tools/list` — accepted a full server configuration in the request body, including the `command`, `args`, and `env` fields used by the stdio transport. When called with a stdio configuration, the endpoints attempted to connect, which spawned the supplied command as a subprocess on the proxy host with the privileges of the proxy process. The endpoints were gated only by a valid proxy API key, with no role check. Any authenticated user — including holders of low-privilege internal-user keys — could therefore run arbitrary commands on the host. ### Patches Fixed in **`1.83.7`**. Both test endpoints now require the `PROXY_ADMIN` role, bringing them into line with the save endpoint. ### Workarounds If upgrading is not immediately possible, developers should block `POST /mcp-rest/test/connection` and `POST /mcp-rest/test/tools/list` at their reverse proxy or API gateway.

Weaknesses (CWE)

CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') Primary

References

Timeline

Published
April 25, 2026
Last Modified
April 25, 2026
First Seen
April 26, 2026

Related Vulnerabilities

CRITICAL CVE-2026-35030 9.1

LiteLLM: auth bypass via JWT cache key collision

Same package: litellm
HIGH CVE-2026-40217 8.8

LiteLLM: RCE via bytecode rewriting in guardrails API

Same package: litellm
HIGH CVE-2024-6825 8.8

LiteLLM: RCE via post_call_rules callback injection

Same package: litellm
HIGH CVE-2025-0628 8.1

litellm: privilege escalation viewer→proxy admin via bad API key

Same package: litellm
HIGH CVE-2024-4888 8.1

litellm: arbitrary file deletion via audio endpoint

Same package: litellm
Back to Threat Feed