LiteLLM Vulnerability Enables Unauthenticated Remote Code Execution

Researchers at Horizon3.ai published a technical disclosure showing that a command-injection flaw in LiteLLM's MCP test endpoints, tracked as CVE-2026-42271 (rated CVSS 8.7 on its own), can be chained with a Starlette host-header validation bypass, CVE-2026-48710, to achieve unauthenticated remote code execution. Horizon3.ai reports the chain converts an originally authenticated issue into an unauthenticated RCE, and assessed the chained path at CVSS 10.0. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2026-42271 to its Known Exploited Vulnerabilities catalog, with The Hacker News reporting CISA cited evidence of active exploitation. Affected LiteLLM releases include 1.74.2 through 1.83.6; vendor patches appear in 1.83.7.

Per the Horizon3.ai disclosure, the two vulnerable LiteLLM MCP endpoints are POST /mcp-rest/test/connection and POST /mcp-rest/test/tools/list. Those endpoints accept a full server configuration including command, args, and env fields for stdio transports; when invoked, LiteLLM spawns the supplied command as a subprocess under the proxy process user. Horizon3.ai validated that CVE-2026-48710, a Starlette "BadHost" host header validation bypass affecting Starlette versions <= 1.0.0, can be used to bypass the API-key-based authentication that had previously gated the test endpoints, yielding unauthenticated execution. The chain allows an attacker to execute arbitrary commands on the proxy host and, according to Horizon3.ai, to access cached model-provider API keys and other secrets stored by the proxy.

Multiple vulnerability-tracking and security vendors, including runZero and AI Weekly, have enumerated related LiteLLM issues in the same timeframe: SQL-injection-style flaws in API-key verification and server-side template injection (SSTI) in prompt-testing endpoints were reported alongside the MCP test-endpoint command-injection issue in vendor advisories and blog summaries. runZero notes that official container images run the proxy process as root by default, increasing blast radius in some deployments.

Editorial analysis: AI gateway proxies like LiteLLM are designed to centralize access to multiple model providers and to manage provider credentials; this function concentrates high-value secrets (API keys, provider tokens) that attackers can weaponize if they obtain host-level execution. Public reporting and the CISA KEV listing indicate that AI gateway infrastructure is now a prioritized target for active exploitation campaigns. Observers tracking similar chains note that dependency-layer flaws, for example in widely used frameworks such as Starlette, frequently convert otherwise scoped vulnerabilities into unauthenticated, high-severity paths.

For practitioners: watch for inventory signals that reveal exposed LiteLLM instances and their Starlette dependency versions, and track network telemetry for attempts to invoke POST /mcp-rest/test/connection or POST /mcp-rest/test/tools/list with unusual Host headers or stdio payloads. Also monitor alerts from CISA and your OSV/CVE feeds for follow-on CVE assignments and additional advisories from BerriAI and major cloud vendors. Security teams should validate whether LiteLLM runs as root in containers or under constrained service accounts, because privilege context materially changes post-exploitation impact.

Reported fixes include updating LiteLLM to 1.83.7, which Horizon3.ai and The Hacker News report changes the test endpoints to require the PROXY_ADMIN role, aligning them with the save endpoint. Affected deployments that include Starlette <= 1.0.0 are advised to upgrade to 1.0.1 per the Starlette advisory chain described by Horizon3.ai. Several security vendors published detection guidance and enumeration playbooks for impacted assets.

Editorial analysis: The combination of a gateway proxy that handles high-value API keys and a dependency-level bypass that removes authentication illustrates a common high-risk pattern in AI infrastructure, where convenience-oriented developer endpoints and transitive dependencies create a disproportionate attack surface. With CISA citing active exploitation, defenders will likely prioritize discovery, patching, and credential rotation for exposed proxies in the near term.