SecurityBlog Post

LiteLLM RCE Flaw CVE-2026-42271 Now Exploited in the Wild

A command injection flaw in LiteLLM's MCP test endpoints is under active exploitation and chains to unauthenticated RCE

June 9, 2026
1 min read
LiteLLM RCE Flaw CVE-2026-42271 Now Exploited in the Wild
Is your AI-built app exposed? Get a professional vibe coding audit and ship to production with confidence.

LiteLLM is one of the most widely deployed open-source AI gateways. It sits between an application and 100-plus LLM providers, normalizing every call into a single OpenAI-compatible format. That position makes it convenient. It also makes it a high-value target, and attackers are now treating it like one.

What the flaw does

CVE-2026-42271 is a command injection bug rated CVSS 8.7. It lives in two preview endpoints that LiteLLM uses to test a Model Context Protocol (MCP) server before saving its configuration: POST /mcp-rest/test/connection and POST /mcp-rest/test/tools/list.

Those endpoints accept a full server configuration, including the command, arguments, and environment variables used by the stdio transport. When LiteLLM tests that configuration, it spawns the supplied command as a real subprocess on the host.

There is no role check on these endpoints, so any user holding a valid proxy API key, even a low-privilege internal one, can run arbitrary commands with the privileges of the proxy process. Affected versions run from 1.74.2 up to but not including 1.83.7.

Why it is worse than a single bug

On its own, CVE-2026-42271 still requires a valid API key. The real danger is the chain. Researchers at Horizon3.ai confirmed that it combines with a second flaw, CVE-2026-48710, an authentication bypass that applies to LiteLLM deployments whose dependency tree includes Starlette 1.0.0 or earlier.

Bypass the authentication, then trigger the command injection, and the attacker needs zero credentials. That chain produces unauthenticated remote code execution, scored as high as CVSS 10.0. Full host compromise, credential theft, and lateral movement into connected AI infrastructure all follow from there.

This is not theoretical. CISA recently added CVE-2026-42271 to its Known Exploited Vulnerabilities catalog, citing evidence of active exploitation. For context, a separate LiteLLM SQL injection flaw came under attack within 36 hours of going public a month earlier. The window between disclosure and exploitation is shrinking to almost nothing.

What to do now

Patch first. Upgrade LiteLLM to 1.83.7 or later, which adds authorization controls requiring the admin role on the affected endpoints. Upgrade Starlette to 1.0.1 or later to close the authentication bypass that enables the unauthenticated path.

Then reduce exposure. Block or restrict the MCP test endpoints at your reverse proxy or gateway. Keep production gateways off the public internet wherever possible, and place them behind network controls so a single leaked key cannot reach the control plane. Audit which keys exist, what each one can reach, and rotate anything that may have been exposed.

The pattern worth noticing

Most early AI security conversation focused on prompt injection, data leakage, and model behavior. CVE-2026-42271 is a reminder that AI infrastructure also fails in ordinary software ways. An endpoint accepted untrusted input and turned it into a subprocess. That is a classic mistake wearing a new label.

If you ship AI features built on tools like LiteLLM, the gateway deserves the same scrutiny as any internet-facing service. Test endpoints, MCP configuration handlers, and key scopes are exactly the surfaces a black-box audit is built to find before someone else does.

VibeAudits

Security Experts

Worried your vibe-coded app has issues like this?

We run professional code audits for SaaS apps and AI features built with Cursor, Claude, Copilot, Lovable and Replit. We find the security and reliability problems before your customers (or attackers) do, then hand you a fix-ready report.