LiteLLM AI gateway command injection exploited in the wild (CVE-2026-42271)

What happened

CVE-2026-42271 is a command injection flaw in LiteLLM's MCP server test endpoints (POST /mcp-rest/test/connection and POST /mcp-rest/test/tools/list), which accept a full server configuration including command, args, and env for the stdio transport and spawn it as a subprocess on the proxy host. Any holder of a proxy API key could run arbitrary commands. LiteLLM is a widely deployed open-source gateway that fronts provider API keys and cloud credentials. CISA added the CVE to its Known Exploited Vulnerabilities catalog on June 8, 2026 after confirming active in-the-wild exploitation, with activity linked to the Qilin ransomware group.

Root cause

The MCP preview endpoints passed attacker-controlled subprocess configuration straight to process execution with no command allowlist and no PROXY_ADMIN role gate. Horizon3.ai showed it chains with CVE-2026-48710 ("BadHost", a Starlette Host header validation bypass affecting Starlette 1.0.0 and earlier) to drop the API-key requirement entirely, turning an authenticated bug into unauthenticated remote code execution from any network-reachable host (combined CVSS 10.0).

Fix / outcome

Patched in LiteLLM 1.83.7 (released May 8, 2026), which restricts the MCP test endpoints to the PROXY_ADMIN role and bumps Starlette to 1.0.1. Affected versions are 1.74.2 through 1.83.6. Upgrade both LiteLLM and Starlette, gate the proxy behind authentication and network controls, and rotate any provider keys or cloud credentials the host could reach.

Sources