Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-42271

CVE-2026-42271: Litellm Litellm RCE Vulnerability

CVE-2026-42271 is a remote code execution flaw in Litellm Litellm affecting versions 1.74.2 to 1.83.6. Attackers with low-privilege keys can execute arbitrary commands on the proxy host. This article covers technical details, affected versions, impact, and mitigation steps.

Published:

CVE-2026-42271 Overview

CVE-2026-42271 is a command injection vulnerability in LiteLLM, an open-source proxy server (AI Gateway) that exposes large language model APIs in OpenAI-compatible format. The flaw affects versions from 1.74.2 up to but not including 1.83.7. Two Model Context Protocol (MCP) preview endpoints accept full server configurations, including command, args, and env fields used by the stdio transport. Any authenticated user holding a valid proxy API key can trigger subprocess execution on the proxy host. The endpoints lack role-based authorization, allowing low-privilege internal users to run arbitrary commands with the privileges of the proxy process.

Critical Impact

Authenticated attackers with low-privilege API keys can execute arbitrary commands on the LiteLLM proxy host, enabling full host compromise and lateral movement into connected AI infrastructure.

Affected Products

  • LiteLLM versions 1.74.2 through 1.83.6
  • LiteLLM proxy deployments exposing MCP preview endpoints
  • Self-hosted AI Gateway instances using stdio transport for MCP servers

Discovery Timeline

  • 2026-05-08 - CVE-2026-42271 published to NVD
  • 2026-05-08 - Last updated in NVD database

Technical Details for CVE-2026-42271

Vulnerability Analysis

The vulnerability resides in two MCP preview endpoints: POST /mcp-rest/test/connection and POST /mcp-rest/test/tools/list. These endpoints allow callers to preview an MCP server configuration before saving it. The request body accepts the full configuration, including transport-specific fields. When the supplied configuration uses the stdio transport, the proxy invokes the configured command with its args and env to establish the connection. This subprocess executes on the proxy host under the proxy process privileges. The endpoints validate only that the request carries a valid proxy API key. No role check restricts use to administrators, so any internal-user token suffices. The flaw is tracked under CWE-77: Improper Neutralization of Special Elements used in a Command.

Root Cause

The root cause is missing authorization combined with unsafe handling of user-controlled process configuration. The endpoints trust authenticated callers to supply the executable path and arguments that the proxy will spawn. There is no allowlist of permitted commands, no administrator role gate, and no sandbox isolating the spawned subprocess from the host.

Attack Vector

An attacker authenticates to the LiteLLM proxy using any valid API key, including a low-privilege internal-user key. The attacker sends a crafted POST request to /mcp-rest/test/connection or /mcp-rest/test/tools/list containing a JSON body describing a stdio-transport MCP server. The command field is set to an arbitrary binary on the host, and args and env supply attacker-controlled parameters. The proxy spawns the process, granting the attacker command execution with proxy-process privileges. From this foothold, attackers can access stored model API keys, environment secrets, and any backend services the proxy can reach.

Detection Methods for CVE-2026-42271

Indicators of Compromise

  • Requests to /mcp-rest/test/connection or /mcp-rest/test/tools/list containing command, args, or env fields in the JSON body
  • Unexpected child processes spawned by the LiteLLM proxy process, especially shells (sh, bash), interpreters (python, node), or network tools (curl, wget, nc)
  • Outbound network connections originating from subprocesses of the proxy to untrusted destinations
  • API key usage patterns where non-admin keys invoke MCP preview endpoints

Detection Strategies

  • Inspect HTTP access logs and request bodies for the two affected MCP preview routes and alert on use by non-administrative API keys
  • Monitor process trees on hosts running LiteLLM for child processes that do not match the expected MCP server allowlist
  • Correlate authentication events with subprocess execution timestamps to attribute commands to specific API keys

Monitoring Recommendations

  • Enable verbose proxy audit logging and forward logs to a centralized SIEM for retention and correlation
  • Track LiteLLM version inventory across environments and flag any instance running between 1.74.2 and 1.83.6
  • Alert on creation or modification of MCP server entries that use the stdio transport with non-standard commands

How to Mitigate CVE-2026-42271

Immediate Actions Required

  • Upgrade LiteLLM to version 1.83.7 or later, which patches the affected endpoints
  • Rotate all proxy API keys, model provider credentials, and environment secrets accessible to the proxy process
  • Audit recent requests to /mcp-rest/test/connection and /mcp-rest/test/tools/list for signs of abuse
  • Review host process and authentication logs for unauthorized subprocess execution following the disclosure window

Patch Information

LiteLLM addressed the vulnerability in version 1.83.7. Release notes and download artifacts are available in the LiteLLM v1.83.7 release. The vendor advisory with full technical detail is published as GitHub Security Advisory GHSA-v4p8-mg3p-g94g.

Workarounds

  • Restrict network access to the LiteLLM proxy admin and MCP routes using a reverse proxy or ingress allowlist limiting traffic to trusted administrator networks
  • Issue API keys with the minimum scope required and revoke any unused or low-trust internal-user keys until the upgrade is complete
  • Run the LiteLLM proxy as an unprivileged user inside a container with read-only filesystem, no shell binaries, and strict egress controls to limit blast radius
bash
# Verify and upgrade the installed LiteLLM version
pip show litellm | grep -i version
pip install --upgrade 'litellm>=1.83.7'

# Confirm the fixed version is active
python -c "import litellm; print(litellm.__version__)"

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.