LiteLLM Flaw Chains to Unauthenticated RCE—CISA Adds to KEV

A command injection vulnerability in BerriAI's LiteLLM proxy gateway can be chained with a Starlette host header bypass to achieve unauthenticated remote code execution—and attackers are already exploiting it in the wild. CISA added CVE-2026-42271 to its Known Exploited Vulnerabilities catalog on June 8, 2026, giving federal agencies until June 29 to remediate.

LiteLLM is a popular open-source proxy that unifies access to over 100 LLM providers including OpenAI, Anthropic, and Azure. Its widespread deployment across enterprise AI pipelines makes this vulnerability particularly concerning for organizations building production AI applications.

How the Exploit Chain Works

The vulnerability exists in two MCP server preview endpoints: POST /mcp-rest/test/connection and POST /mcp-rest/test/tools/list. Both accept full server configurations in request bodies, including command, args, and env fields for stdio transport. When called with a stdio configuration, LiteLLM spawns the supplied command as a subprocess with the privileges of the proxy process.

These endpoints were protected only by valid proxy API keys—meaning any authenticated user could execute arbitrary commands on the host. But the real danger comes from chaining this with CVE-2026-48710, a host header validation bypass in Starlette versions 1.0.0 and earlier.

Horizon3.ai researchers discovered that combining these two flaws completely sidesteps authentication, transforming the attack into unauthenticated RCE. The chained vulnerability carries a combined CVSS score of 10.0.

What Attackers Can Access

Successful exploitation gives attackers the ability to run arbitrary commands on the LiteLLM host, access model provider credentials stored by the proxy, steal API keys and secrets, and compromise downstream systems integrated with the gateway. For organizations using LiteLLM as their central AI routing layer, a breach here means potential access to every connected LLM provider and the data flowing through them.

This pattern of AI infrastructure vulnerabilities becoming entry points for broader compromise is one security teams should be watching closely. As organizations rush to deploy AI capabilities, the middleware connecting these systems often lacks the security scrutiny applied to traditional infrastructure.

Affected Versions and Remediation

Affected: LiteLLM versions 1.74.2 through 1.83.6

Fixed: LiteLLM 1.83.7 and Starlette 1.0.1

Organizations running vulnerable versions should patch immediately. If immediate patching isn't feasible, implement these interim controls:

1. Block the affected endpoints at your reverse proxy or API gateway
2. Restrict network access to LiteLLM to trusted segments only
3. Rotate all stored credentials including LLM provider API keys
4. Monitor logs for unusual Host headers and unexpected subprocess execution

Detection Guidance

Security teams should hunt for:

• POST requests to /mcp-rest/test/connection or /mcp-rest/test/tools/list with stdio configurations
• Unusual Host header values that don't match expected patterns
• Unexpected child processes spawned by the LiteLLM application
• Outbound connections from the proxy host to unfamiliar destinations

The vulnerability highlights a growing trend: AI orchestration tools, often deployed rapidly to meet business demands, are becoming attractive targets. LiteLLM isn't alone—similar supply chain concerns have emerged across the AI tooling ecosystem as attackers recognize these systems often have privileged access to credentials and sensitive data flows.

Why This Matters

The AI infrastructure layer is becoming critical attack surface. Proxy gateways like LiteLLM sit at the intersection of multiple high-value targets: API credentials for major LLM providers, potentially sensitive prompts and responses, and often elevated network access to reach cloud APIs. Organizations should treat AI infrastructure with the same security rigor applied to identity providers and secrets management systems—because increasingly, that's exactly what they are.