The U.S. Cybersecurity and Infrastructure Security Agency on Monday added a high-severity command injection flaw in BerriAI LiteLLM to its Known Exploited Vulnerabilities catalog, saying it has seen active exploitation of CVE-2026-42271, which affects versions 1.74.2 through 1.83.6 and can let authenticated users run commands on the host.
KEY FACTS
- Severity CVSS score of 8.7.
- Affected versions LiteLLM Python package 1.74.2 up to, but not including, 1.83.7.
- Attack path Two test endpoints accepted full MCP server settings, including command, args and env fields.
- Fix Version 1.83.7 requires the PROXY_ADMIN role for both test endpoints.
According to the vendor advisory, the vulnerable endpoints were used to preview an MCP server before saving it. When called with a stdio configuration, they tried to connect and spawned the supplied command as a subprocess on the proxy host with the privileges of the proxy process.
That behavior meant any authenticated user with a valid proxy API key could execute arbitrary commands on a susceptible system, including users with internal privileges. The patch in version 1.83.7 changes the authorization check so the test endpoints now require the PROXY_ADMIN role, matching the save endpoint.
Last week, Horizon3.ai said the flaw could be chained with CVE-2026-48710, a Starlette host header validation bypass, to bypass authentication entirely in some LiteLLM deployments and reach unauthenticated remote code execution. The combined chain was assigned a CVSS score of 10.0.
There is no public detail on who is behind the attacks, who is being targeted or how many systems may have been compromised. It is also not clear whether the observed exploitation uses the chained attack path or the LiteLLM flaw on its own.
WHY IT MATTERS
The flaw can give attackers a route to run commands on an AI gateway that may store model credentials, API keys and other secrets. Organizations using LiteLLM are advised to update to version 1.83.7 or later, patch Starlette to 1.0.1 or later if relevant, or block the vulnerable endpoints and review logs for unusual host header activity.