• Category: Security
  • Status: confirmed
  • Sources: Help Net Security, Horizon3.ai, CISA KEV
  • Summary: CVE-2026-42271 is a command injection flaw (CVSS 8.7) in LiteLLM MCP server preview endpoints, affecting versions 1.74.2 through 1.83.6. The endpoints POST /mcp-rest/test/connection and POST /mcp-rest/test/tools/list accept a full server config including command, args, and env fields and spawn them as subprocesses without validation. Horizon3.ai chained this with CVE-2026-48710, a host header bypass in Starlette (BadHost), to achieve unauthenticated RCE with a combined CVSS of 10.0. CISA added the flaw to KEV on 2026-06-08.
  • Why it matters: Exploiting a LiteLLM proxy exposes all model provider API keys, integrated AI infrastructure, and downstream connected systems. Patch to LiteLLM 1.83.7 and Starlette 1.0.1; block the two affected endpoints at the reverse proxy if immediate patching is not possible.

Send feedback on this story