Cyber Resilience

CVE-2026-42271

HighCISA KEVActive ExploitationRCEUpdated

Published: 08 May 2026

Published
08 May 2026
Modified
09 June 2026
KEV Added
08 June 2026
Patch
CVSS Score v4 8.7 CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.7499 99.4th percentile
Risk Priority 100 floored blend · peak EPSS

Summary

CVE-2026-42271 is a high-severity Command Injection (CWE-77) vulnerability in Litellm Litellm. Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 0.6% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

This vulnerability is AI-related — categorised as AI Agent Protocols and Integrations; in the Protocol-Specific Risks risk domain.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Deeper analysis

LiteLLM is an AI gateway proxy server that routes calls to LLM APIs using OpenAI-compatible or native formats. CVE-2026-42271 affects versions 1.74.2 through 1.83.6 and stems from two unauthenticated-role endpoints, POST /mcp-rest/test/connection and POST /mcp-rest/test/tools/list, that accept an arbitrary MCP server configuration containing command, args, and env fields for the stdio transport. When presented with such a configuration the endpoints spawn the supplied command as a child process on the proxy host, inheriting the privileges of the LiteLLM process; the only access control is possession of any valid proxy API key.

An attacker holding a low-privilege internal-user key can therefore submit a malicious stdio configuration to either endpoint and execute arbitrary operating-system commands on the underlying host, achieving full remote code execution with the proxy’s permissions. The vulnerability maps to CWE-77 and CWE-78 and carries a CVSS 4.0 score of 8.7.

The issue is resolved in LiteLLM 1.83.7; the project’s release notes and the accompanying GitHub Security Advisory GHSA-v4p8-mg3p-g94g describe the patch and urge immediate upgrade. The vulnerability also appears in CISA’s Known Exploited Vulnerabilities catalog, confirming observed in-the-wild exploitation. The associated EPSS score has remained steady at 0.6078 with no material increase since disclosure.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. From version 1.74.2 to before version 1.83.7, two endpoints used to preview an MCP server before saving it — POST /mcp-rest/test/connection and POST /mcp-rest/test/tools/list…

more

— accepted a full server configuration in the request body, including the command, args, and env fields used by the stdio transport. When called with a stdio configuration, the endpoints attempted to connect, which spawned the supplied command as a subprocess on the proxy host with the privileges of the proxy process. The endpoints were gated only by a valid proxy API key, with no role check. Any authenticated user — including holders of low-privilege internal-user keys — could therefore run arbitrary commands on the host. This issue has been patched in version 1.83.7.

CWE(s)
KEV Date Added
08 June 2026

AI Security AnalysisAI

AI Category
AI Agent Protocols and Integrations
Risk Domain
Protocol-Specific Risks
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: ai, llm, mcp, openai

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059 Command and Scripting Interpreter Execution
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.
Why these techniques?

Direct RCE via unauthenticated command injection in public-facing proxy endpoints (CWE-78), enabling arbitrary subprocess execution on the host.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-42208Same product: Litellm Litellmboth on KEV
CVE-2026-40217Same product: Litellm Litellm
CVE-2026-35030Same product: Litellm Litellm
CVE-2026-35029Same product: Litellm Litellm
CVE-2026-47101Same product: Litellm Litellm
CVE-2026-47102Same product: Litellm Litellm
CVE-2024-9606Same product: Litellm Litellm
CVE-2026-5802Shared CWE-77, CWE-78
CVE-2026-7443Shared CWE-77, CWE-78
CVE-2026-7785Shared CWE-77, CWE-78

Affected Assets

litellm
litellm
1.74.2 — 1.83.7

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces authorization checks on the /mcp-rest/test/* endpoints so that possession of any API key is insufficient to submit stdio configurations that spawn arbitrary subprocesses.

prevent

Ensures low-privilege internal-user accounts cannot invoke functionality that executes OS commands with the proxy process privileges.

prevent

Restricts the availability of the dangerous test-connection and test-tools endpoints or the stdio transport feature that accepts and executes attacker-supplied commands.

References