CISA Adds LiteLLM Command Injection Flaw to KEV After Wild Exploitation

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a high-severity command injection vulnerability in BerriAI LiteLLM to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active in-the-wild attacks. Tracked as CVE-2026-42271 with a CVSS score of 8.7, the flaw resides in two MCP preview endpoints—POST /mcp-rest/test/connection and POST /mcp-rest/test/tools/list—which accepted a full stdio server configuration in the request body, including the command, args, and env fields. When invoked, these endpoints spawned the attacker-supplied command as a subprocess on the proxy host, and because they were protected only by a valid proxy API key, any authenticated user—including low-privilege internal-user keys—could execute arbitrary commands. The issue affects LiteLLM Python package versions >= 1.74.2 and < 1.83.7, and the fix in 1.83.7 tightens both endpoints to require the PROXY_ADMIN role, aligning them with the existing save endpoint.

Last week, researchers at Horizon3.ai demonstrated that the vulnerability becomes far more dangerous when chained with CVE-2026-48710 (CVSS 6.5), a "BadHost" host header validation bypass in the Starlette ASGI framework used by LiteLLM deployments. By manipulating the Host header, an attacker can circumvent LiteLLM's authentication layer entirely, transforming an authenticated command injection into fully unauthenticated remote code execution against any deployment pulling in Starlette versions ≤ 1.0.0. Horizon3.ai rated the combined exploit chain at a CVSS of 10.0, warning that successful weaponization could let threat actors run arbitrary commands, harvest model provider credentials, exfiltrate API keys and secrets stored by the proxy, pivot into connected AI infrastructure, and compromise downstream systems integrated through the gateway. Operators are strongly urged to verify their LiteLLM instances against a port scanner to confirm exposure and to use an SSL/TLS checker to validate that reverse proxies in front of LiteLLM are enforcing proper header validation.

CISA has not yet disclosed the identity of the threat actor, the scale of the campaign, or whether the observed in-the-wild exploitation is leveraging the unauthenticated chain or the original authenticated path. Defenders should upgrade LiteLLM to version 1.83.7 or later immediately, audit proxy logs for unusual requests to the two MCP test endpoints, rotate any API keys and model provider credentials that may have been stored on the host, and review dependent Starlette versions to ensure they are patched against CVE-2026-48710. Administrators can also run a email breach checker to verify whether administrator credentials tied to the deployment have appeared in known credential dumps, which would inform the urgency of rotation and incident response procedures.