CVE-2026-42271 Overview
CVE-2026-42271 is a command injection vulnerability in LiteLLM, an open-source proxy server (AI Gateway) that exposes large language model APIs in OpenAI-compatible format. The flaw affects versions from 1.74.2 up to but not including 1.83.7. Two Model Context Protocol (MCP) preview endpoints accept full server configurations, including command, args, and env fields used by the stdio transport. Any authenticated user holding a valid proxy API key can trigger subprocess execution on the proxy host. The endpoints lack role-based authorization, allowing low-privilege internal users to run arbitrary commands with the privileges of the proxy process.
Critical Impact
Authenticated attackers with low-privilege API keys can execute arbitrary commands on the LiteLLM proxy host, enabling full host compromise and lateral movement into connected AI infrastructure.
Affected Products
- LiteLLM versions 1.74.2 through 1.83.6
- LiteLLM proxy deployments exposing MCP preview endpoints
- Self-hosted AI Gateway instances using stdio transport for MCP servers
Discovery Timeline
- 2026-05-08 - CVE-2026-42271 published to NVD
- 2026-05-08 - Last updated in NVD database
Technical Details for CVE-2026-42271
Vulnerability Analysis
The vulnerability resides in two MCP preview endpoints: POST /mcp-rest/test/connection and POST /mcp-rest/test/tools/list. These endpoints allow callers to preview an MCP server configuration before saving it. The request body accepts the full configuration, including transport-specific fields. When the supplied configuration uses the stdio transport, the proxy invokes the configured command with its args and env to establish the connection. This subprocess executes on the proxy host under the proxy process privileges. The endpoints validate only that the request carries a valid proxy API key. No role check restricts use to administrators, so any internal-user token suffices. The flaw is tracked under CWE-77: Improper Neutralization of Special Elements used in a Command.
Root Cause
The root cause is missing authorization combined with unsafe handling of user-controlled process configuration. The endpoints trust authenticated callers to supply the executable path and arguments that the proxy will spawn. There is no allowlist of permitted commands, no administrator role gate, and no sandbox isolating the spawned subprocess from the host.
Attack Vector
An attacker authenticates to the LiteLLM proxy using any valid API key, including a low-privilege internal-user key. The attacker sends a crafted POST request to /mcp-rest/test/connection or /mcp-rest/test/tools/list containing a JSON body describing a stdio-transport MCP server. The command field is set to an arbitrary binary on the host, and args and env supply attacker-controlled parameters. The proxy spawns the process, granting the attacker command execution with proxy-process privileges. From this foothold, attackers can access stored model API keys, environment secrets, and any backend services the proxy can reach.
Detection Methods for CVE-2026-42271
Indicators of Compromise
- Requests to /mcp-rest/test/connection or /mcp-rest/test/tools/list containing command, args, or env fields in the JSON body
- Unexpected child processes spawned by the LiteLLM proxy process, especially shells (sh, bash), interpreters (python, node), or network tools (curl, wget, nc)
- Outbound network connections originating from subprocesses of the proxy to untrusted destinations
- API key usage patterns where non-admin keys invoke MCP preview endpoints
Detection Strategies
- Inspect HTTP access logs and request bodies for the two affected MCP preview routes and alert on use by non-administrative API keys
- Monitor process trees on hosts running LiteLLM for child processes that do not match the expected MCP server allowlist
- Correlate authentication events with subprocess execution timestamps to attribute commands to specific API keys
Monitoring Recommendations
- Enable verbose proxy audit logging and forward logs to a centralized SIEM for retention and correlation
- Track LiteLLM version inventory across environments and flag any instance running between 1.74.2 and 1.83.6
- Alert on creation or modification of MCP server entries that use the stdio transport with non-standard commands
How to Mitigate CVE-2026-42271
Immediate Actions Required
- Upgrade LiteLLM to version 1.83.7 or later, which patches the affected endpoints
- Rotate all proxy API keys, model provider credentials, and environment secrets accessible to the proxy process
- Audit recent requests to /mcp-rest/test/connection and /mcp-rest/test/tools/list for signs of abuse
- Review host process and authentication logs for unauthorized subprocess execution following the disclosure window
Patch Information
LiteLLM addressed the vulnerability in version 1.83.7. Release notes and download artifacts are available in the LiteLLM v1.83.7 release. The vendor advisory with full technical detail is published as GitHub Security Advisory GHSA-v4p8-mg3p-g94g.
Workarounds
- Restrict network access to the LiteLLM proxy admin and MCP routes using a reverse proxy or ingress allowlist limiting traffic to trusted administrator networks
- Issue API keys with the minimum scope required and revoke any unused or low-trust internal-user keys until the upgrade is complete
- Run the LiteLLM proxy as an unprivileged user inside a container with read-only filesystem, no shell binaries, and strict egress controls to limit blast radius
# Verify and upgrade the installed LiteLLM version
pip show litellm | grep -i version
pip install --upgrade 'litellm>=1.83.7'
# Confirm the fixed version is active
python -c "import litellm; print(litellm.__version__)"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
