CVE-2026-42271
Published: 08 May 2026
Summary
CVE-2026-42271 is a high-severity Command Injection (CWE-77) vulnerability in Litellm Litellm. Its CVSS base score is 8.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 0.6% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
This vulnerability is AI-related — categorised as AI Agent Protocols and Integrations; in the Protocol-Specific Risks risk domain.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).
Deeper analysis
LiteLLM is an AI gateway proxy server that routes calls to LLM APIs using OpenAI-compatible or native formats. CVE-2026-42271 affects versions 1.74.2 through 1.83.6 and stems from two unauthenticated-role endpoints, POST /mcp-rest/test/connection and POST /mcp-rest/test/tools/list, that accept an arbitrary MCP server configuration containing command, args, and env fields for the stdio transport. When presented with such a configuration the endpoints spawn the supplied command as a child process on the proxy host, inheriting the privileges of the LiteLLM process; the only access control is possession of any valid proxy API key.
An attacker holding a low-privilege internal-user key can therefore submit a malicious stdio configuration to either endpoint and execute arbitrary operating-system commands on the underlying host, achieving full remote code execution with the proxy’s permissions. The vulnerability maps to CWE-77 and CWE-78 and carries a CVSS 4.0 score of 8.7.
The issue is resolved in LiteLLM 1.83.7; the project’s release notes and the accompanying GitHub Security Advisory GHSA-v4p8-mg3p-g94g describe the patch and urge immediate upgrade. The vulnerability also appears in CISA’s Known Exploited Vulnerabilities catalog, confirming observed in-the-wild exploitation. The associated EPSS score has remained steady at 0.6078 with no material increase since disclosure.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-28507
Vulnerability details
LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. From version 1.74.2 to before version 1.83.7, two endpoints used to preview an MCP server before saving it — POST /mcp-rest/test/connection and POST /mcp-rest/test/tools/list…
more
— accepted a full server configuration in the request body, including the command, args, and env fields used by the stdio transport. When called with a stdio configuration, the endpoints attempted to connect, which spawned the supplied command as a subprocess on the proxy host with the privileges of the proxy process. The endpoints were gated only by a valid proxy API key, with no role check. Any authenticated user — including holders of low-privilege internal-user keys — could therefore run arbitrary commands on the host. This issue has been patched in version 1.83.7.
- CWE(s)
- KEV Date Added
- 08 June 2026
AI Security AnalysisAI
- AI Category
- AI Agent Protocols and Integrations
- Risk Domain
- Protocol-Specific Risks
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: ai, llm, mcp, openai
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct RCE via unauthenticated command injection in public-facing proxy endpoints (CWE-78), enabling arbitrary subprocess execution on the host.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces authorization checks on the /mcp-rest/test/* endpoints so that possession of any API key is insufficient to submit stdio configurations that spawn arbitrary subprocesses.
Ensures low-privilege internal-user accounts cannot invoke functionality that executes OS commands with the proxy process privileges.
Restricts the availability of the dangerous test-connection and test-tools endpoints or the stdio transport feature that accepts and executes attacker-supplied commands.