CISA Adds LiteLLM Flaw CVE-2026-42271 to KEV

The U.S. Cybersecurity and Infrastructure Security Agency added CVE-2026-42271, a high-severity command injection flaw in BerriAI’s LiteLLM, to its Known Exploited Vulnerabilities catalog on Monday and cited evidence of active exploitation. The vulnerability carries a CVSS score of 8.7 and affects the LiteLLM Python package versions >= 1.74.2 and < 1.83.7.

BerriAI and outside researchers found two test endpoints, POST /mcp-rest/test/connection and POST /mcp-rest/test/tools/list, that accepted a full server configuration in the request body, including fields named command, args and env used by the stdio transport. When a stdio configuration was used, the endpoints attempted to connect and spawned the supplied command as a subprocess on the proxy host with the privileges of the proxy process. The endpoints required only a valid proxy API key for access, allowing any authenticated user holding such a key to execute commands on a vulnerable host.

The LiteLLM maintainers issued fixes in version 1.83.7. The update restricts the two test endpoints to users with the PROXY_ADMIN role, aligning their access control with the existing save endpoint.

Security researchers at Horizon3.ai described an attack chain that combines CVE-2026-42271 with a Starlette host header validation bypass, CVE-2026-48710, affecting Starlette versions at or below 1.0.0. The host header bypass can defeat authentication in LiteLLM deployments whose dependency tree includes Starlette <= 1.0.0, which the researchers say converts the issue into unauthenticated remote code execution. The combined chain was assigned a CVSS score of 10.0.

If the exploit chain is used, attackers could run arbitrary commands on the LiteLLM host, retrieve model provider credentials and API keys stored by the proxy, move laterally into connected AI infrastructure, and access cloud credentials or other sensitive data used by downstream services.

CISA and vendors recommend updating LiteLLM to version 1.83.7 or later and Starlette to version 1.0.1 or later. Where immediate patching is not possible, mitigations include blocking the two POST test endpoints at reverse proxies or API gateways, restricting network access to trusted segments, rotating credentials stored by the proxy, and reviewing logs for unusual Host header activity and subprocess execution events.

There is no public information identifying which threat actors, if any, are exploiting the vulnerability chain in the wild, how widespread incidents may be, or whether observed activity uses the full chained exploit rather than only the LiteLLM flaw. Vendors and CISA continue to monitor activity and have urged rapid patching.

The alert follows a recent critical SQL injection bug in LiteLLM, CVE-2026-42208, which was reported under active exploitation within 36 hours of disclosure.