LiteLLM Command Injection Enables Remote Code Execution (CVE-2026-42271)

Key Takeaways

• CVE-2026-42271 is a command injection flaw in BerriAI LiteLLM rated 8.7 on the CVSS scale.
• CISA added it to the Known Exploited Vulnerabilities catalog on June 8, 2026 after evidence of active exploitation.
• Chained with a Starlette host header bypass, it becomes unauthenticated RCE with a combined CVSS of 10.0.

Summary

The AI gateway became the open door. On June 9, 2026, as reported by The Hacker News, CISA flagged active exploitation of CVE-2026-42271, a command injection flaw in the widely used LiteLLM proxy. Two endpoints meant to preview a Model Context Protocol server let an authenticated user run arbitrary commands on the host, and a separate bypass can remove the authentication requirement entirely.

What We Know

BerriAI LiteLLM is a popular open source AI gateway and Python SDK used to connect applications to many model providers. CVE-2026-42271, rated 8.7, affects LiteLLM versions from 1.74.2 up to but not including 1.83.7. Two endpoints used to preview a Model Context Protocol server before saving it accepted a full server configuration in the request body, including the command, arguments and environment fields used by the stdio transport. When called with that configuration, the proxy spawned the supplied command as a subprocess on the host with the privileges of the proxy process. The endpoints were protected only by a valid proxy API key, so any authenticated user could execute commands. The CISA Known Exploited Vulnerabilities alert added the flaw on June 8, 2026, citing active exploitation, and the National Vulnerability Database entry documents the technical scope. Patches in version 1.83.7 now require the proxy admin role on both endpoints.

What Happened

This is a classic command injection enabled by broken access control, amplified by the gateway central role. The preview endpoints trusted a caller supplied stdio configuration and executed it, while the authorization checks that applied to the save endpoint were missing here, so a low privileged but authenticated key could reach code execution. Researchers then chained the bug with a Starlette host header validation bypass, tracked as CVE-2026-48710, that affects deployments whose dependency tree includes vulnerable Starlette versions. Together the two issues sidestep authentication completely, turning the flaw into unauthenticated remote code execution with a combined severity rated at the maximum of ten. A successful attacker can run commands on the host, read model provider credentials, siphon API keys and secrets stored by the proxy, move laterally into connected AI infrastructure, and reach downstream systems.

Why It Matters

An AI gateway is a concentration point. It brokers traffic to many model providers and stores the credentials and keys that make those connections work, so compromising it can unlock an entire AI estate in one move. Active exploitation and a CISA catalog listing mean this is an operational risk, with federal agencies directed to remediate on a deadline and every exposed deployment a live target. The credentials a gateway holds are exactly what attackers need for lateral movement, data theft and downstream compromise, and the chain to unauthenticated access removes the last barrier of needing a valid key. For organizations standardizing on AI gateways, the incident is a reminder that this convenience layer is now critical infrastructure that demands hardening, monitoring and rapid patching, in line with CISA secure by design principles.

PointGuard AI Perspective

PointGuard AI helps organizations secure the AI gateway as the critical control point it has become. AI software bill of materials visibility inventories the gateways, models, MCP servers and dependencies an environment relies on, including transitive components like Starlette, so teams can find exposed LiteLLM versions and vulnerable dependency chains before attackers do. Continuous monitoring watches the gateway for the subprocess execution and anomalous host header activity that mark this attack, turning silent exploitation into a detectable event. Policy enforcement applies least privilege to administrative endpoints and to the credentials a proxy can reach, shrinking what an attacker gains even if code execution occurs. We have tracked LiteLLM risk closely, including a LiteLLM proxy misconfiguration that enabled remote code execution and a LiteLLM supply chain attack that exposed cloud secrets. The forward looking lesson is that trustworthy AI adoption depends on treating the gateway like the crown jewels it protects, with rigorous dependency visibility, least privilege, runtime monitoring and a patching cadence fast enough to beat attackers who weaponize AI infrastructure flaws within hours.

Incident Scorecard Details

Total AISSI Score: 8.2 / 10

Criticality = 9, the gateway holds model provider credentials, API keys and secrets for an entire AI estate, AISSI weighting: 25%

Propagation = 8, the gateway is a hub and the flaw enables lateral movement into connected AI infrastructure, AISSI weighting: 20%

Exploitability = 8, confirmed active exploitation and a CISA Known Exploited Vulnerabilities listing, AISSI weighting: 15%

Supply Chain = 9, a widely used open source gateway chaining through a third party Starlette dependency, AISSI weighting: 15%

Business Impact = 7, active exploitation and federal remediation pressure, no confirmed downstream compromise yet, AISSI weighting: 25%

Sources

• The Hacker News, LiteLLM Flaw CVE-2026-42271 Exploited in the Wild, Chains to Unauthenticated RCE
• CISA, Adds Two Known Exploited Vulnerabilities to Catalog
• NVD, CVE-2026-42271 Detail
• PointGuard AI, LiteLLM Proxy Misconfig Enables Remote Code Execution (CVE-2026-35029)
• PointGuard AI, LiteLLM AI Supply Chain Attack Exposes Cloud Secrets