The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has officially added a critical vulnerability affecting the BerriAI LiteLLM platform to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation. This high-severity flaw, identified as CVE-2026-42271, presents a significant risk to organizations utilizing AI models through this popular open-source gateway.
The vulnerability, carrying a CVSS score of 8.7, is classified as a command injection flaw. This means an authenticated user could potentially execute arbitrary commands on the host server running the LiteLLM package, compromising data and system integrity. The issue specifically affects certain versions of the LiteLLM Python package, prompting an urgent call for updates.
Critical LiteLLM Vulnerability Exposed and Actively Exploited
According to BerriAI, the developers of LiteLLM, the vulnerability stems from two specific endpoints used for previewing MCP server configurations: POST /mcp-rest/test/connection and POST /mcp-rest/test/tools/list. These endpoints accepted a full server configuration within the request body, including sensitive fields like command, arguments, and environment variables associated with the stdio transport. When these endpoints were invoked with a stdio configuration, they would attempt to establish a connection, inadvertently spawning the supplied command as a subprocess on the proxy host. Critically, this subprocess would run with the same privileges as the proxy process itself.
The flaw was particularly concerning because these endpoints were only protected by a valid proxy API key. This means that any user with authenticated access, including those holding less privileged internal-user keys, could exploit this weakness to execute commands on susceptible systems. This has raised alarms across the cybersecurity community regarding the security of AI infrastructure.
Exploiting LiteLLM: The Chained Vulnerability
Further compounding the severity of the situation, cybersecurity researchers at Horizon3.ai have successfully chained CVE-2026-42271 with another vulnerability, CVE-2026-48710. The latter is a “BadHost” host header validation bypass flaw affecting Starlette, a lightweight ASGI framework often found in the dependency tree of LiteLLM deployments. By combining these two vulnerabilities, Horizon3.ai demonstrated a method to completely bypass authentication mechanisms, achieving unauthenticated remote code execution against vulnerable LiteLLM instances.
Horizon3.ai stated that CVE-2026-48710 can be exploited to circumvent LiteLLM’s authentication processes entirely, especially in deployments using versions of Starlette up to and including 1.0.0. This circumvention transforms the risk from an authenticated threat to an unauthenticated one, requiring no credentials to initiate an attack. The combined impact of this exploit chain is deemed critical, with a reported CVSS score of 10.0.
The implications of a successful exploitation of this chained vulnerability are far-reaching. Attackers could gain the ability to run arbitrary commands on the LiteLLM host, potentially accessing and exfiltrating sensitive model provider credentials, API keys, and other secrets stored by the proxy. This could also enable attackers to move laterally within an organization’s connected AI infrastructure or compromise downstream systems that rely on the LiteLLM gateway for AI services. The potential for widespread disruption and data breaches is significant.
Currently, details regarding the specific methods of exploitation, the identity of the threat actors involved, the targeted entities, or the extent of successful compromises remain undisclosed. It is also unclear if the active exploitation of CVE-2026-42271 being monitored by CISA is leveraging the full exploit chain identified by Horizon3.ai.
Organizations are strongly advised to update LiteLLM to version 1.83.7 or later, and Starlette to version 1.0.1 or later, to patch both identified vulnerabilities. If immediate patching is not feasible, CISA recommends several mitigation strategies. These include blocking the vulnerable endpoints (POST /mcp-rest/test/connection and POST /mcp-rest/test/tools/list) at the reverse proxy or API gateway level, restricting network access to trusted segments, rotating any credentials stored by the proxy, and diligently reviewing logs for anomalous Host header activity and unauthorized subprocess execution events. This advisory follows closely on the heels of another critical SQL injection flaw in LiteLLM (CVE-2026-42208) that was actively exploited shortly after its public disclosure.