A critical vulnerability chain affecting LiteLLM has been identified, enabling unauthenticated remote code execution (RCE) on exposed servers.
Tracked as CVE-2026-42271 and chained with CVE-2026-48710, the flaw allows attackers to bypass authentication controls and execute arbitrary system commands, posing a severe risk to AI infrastructure worldwide that depends on LiteLLM deployments.
CVE-2026-42271 is a command injection flaw residing in LiteLLM’s Model Context Protocol (MCP) server test endpoints specifically /mcp-rest/test/connection and /mcp-rest/test/tools/list.
Critical LiteLLM Vulnerability
These endpoints are designed to accept full server configurations, including executable commands, arguments, and environment variables for stdio-based transport.
When invoked, LiteLLM spawns these configurations as subprocesses on the host system. Initially, this vulnerability was considered low severity because accessing these endpoints required a valid proxy API key, limiting potential exposure.
Researchers at Horizon3.ai demonstrated that the access control protecting these endpoints can be completely bypassed when CVE-2026-42271 is chained with CVE-2026-48710, a Starlette framework vulnerability involving improper Host header validation, commonly referred to as the “BadHost” bypass.
This flaw affects Starlette versions up to and including 1.0.0, allowing attackers to manipulate Host headers to circumvent authentication mechanisms in dependent applications.
When LiteLLM deployments rely on a vulnerable Starlette version, attackers can exploit this weakness to reach the MCP test endpoints without any credentials.
Impact and Exploitation Scope
The chained exploitation results in full unauthenticated RCE, enabling attackers to execute arbitrary commands under the privileges of the LiteLLM proxy process. The security implications are wide-ranging:
- Credential theft — Successful exploitation can expose model provider credentials, API keys, and environment secrets stored within the proxy
- Lateral movement — Threat actors can pivot across connected AI systems, impacting downstream services integrated with the LiteLLM gateway
- Full host compromise — Arbitrary command execution grants attackers extensive control over the underlying server
Security researchers have assigned the vulnerability chain a CVSS score of 10.0 (Critical). Affected versions span LiteLLM releases 1.74.2 through 1.83.6, specifically in environments where Starlette dependencies remain at or below version 1.0.0.
Organizations should monitor their environments for the following signals:
- Unexpected subprocess executions triggered via MCP endpoints
- Suspicious HTTP requests targeting
/mcp-rest/test/routes - Anomalous or manipulated Host header values in access logs
- Evidence of unauthorized command execution on the host system
Mitigation and Recommended Actions
Users are strongly advised to take the following steps immediately:
- Upgrade LiteLLM to version 1.83.7 or later
- Update Starlette to version 1.0.1 or newer
- Restrict access to MCP test endpoints at the network or application layer
- Enforce network segmentation around LiteLLM proxy deployments
- Rotate all sensitive credentials, including model provider API keys and environment secrets
- Audit logs for suspicious subprocess and HTTP activity
CVE-2026-42271 was reported in April 2026, with a patch released in May. The Starlette “BadHost” issue was publicly detailed later that month. By June 2026, Horizon3.ai confirmed the full unauthenticated exploitation chain, elevating the threat to critical status.
This discovery highlights the growing attack surface in AI infrastructure and the critical importance of securing framework-level dependencies not just application logic in production deployments.
No Comment! Be the first one.