LiteLLM CVE-2026-42271 MCP stdio command injection

Summary

CISA added CVE-2026-42271 to the Known Exploited Vulnerabilities catalog on June 8, 2026, citing active exploitation of a BerriAI LiteLLM command-injection vulnerability.

GitHub's advisory describes the bug as authenticated command execution through two LiteLLM MCP REST preview endpoints: POST /mcp-rest/test/connection and POST /mcp-rest/test/tools/list. In affected versions, those endpoints accepted full MCP server configuration from the request body, including stdio command, args, and env fields. When the proxy tried to test a stdio server, it spawned the supplied command as a subprocess on the LiteLLM proxy host.

The vulnerable range is LiteLLM 1.74.2 through versions before 1.83.7. The patched version is 1.83.7.

Tags

• ops
• operations
• active exploitation
• CISA KEV
• AI gateway
• LiteLLM
• MCP
• Model Context Protocol
• stdio
• command injection
• RCE
• CVE-2026-42271
• CWE-78
• CWE-77

Why this matters

• LiteLLM is commonly deployed as an AI gateway / proxy in front of model providers; compromise can expose model credentials, API keys, chat data, and adjacent internal services reachable from the proxy host.
• The endpoints were gated by a valid proxy API key, but GitHub says there was no role check: any authenticated user, including low-privilege internal-user key holders, could trigger host command execution.
• This is a concrete exploited instance of the broader MCP stdio boundary: stdio transport is meant to execute commands, so applications must not let untrusted users provide raw command / args values.
• CISA's KEV due date for covered U.S. federal civilian agencies is June 22, 2026; private defenders should treat internet-exposed or broadly shared LiteLLM proxies as urgent.

Reported vulnerable path

• A user with any valid proxy API key sends a request to one of the MCP preview endpoints:
• POST /mcp-rest/test/connection
• POST /mcp-rest/test/tools/list
• The request body supplies a stdio MCP server configuration, including attacker-controlled command, args, or env fields.
• LiteLLM attempts to preview or list tools for the configured server.
• The proxy host spawns the supplied command with the privileges of the LiteLLM proxy process.

Defender actions

• Upgrade LiteLLM to 1.83.7 or later.
• If immediate upgrade is not possible, restrict access to the LiteLLM proxy and especially the MCP REST preview endpoints; treat any low-privilege internal-user key as sufficient for exploitation in affected versions.
• Review LiteLLM logs and host telemetry for unexpected calls to /mcp-rest/test/connection or /mcp-rest/test/tools/list, followed by shell, Python, Node, curl, wget, package-manager, cloud-CLI, or archive-tool subprocesses from the LiteLLM process.
• Rotate LiteLLM proxy keys and downstream model-provider / cloud credentials if exploitation is suspected.
• Run LiteLLM with least privilege: isolated service account, minimal filesystem mounts, restricted egress, no ambient cloud metadata access, and no unnecessary secret-bearing environment variables.
• Treat MCP stdio configuration as code execution. Prefer allow-listed MCP server profiles rather than letting users submit arbitrary command lines.

Related pages

• MCP stdio command-execution boundary
• LiteLLM compromise
• Trivy → TeamPCP → CanisterWorm timeline

Sources

• CISA KEV entry: https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json
• GitHub advisory GHSA-v4p8-mg3p-g94g: https://github.com/BerriAI/litellm/security/advisories/GHSA-v4p8-mg3p-g94g
• LiteLLM v1.83.7 stable release: https://github.com/BerriAI/litellm/releases/tag/v1.83.7-stable
• NVD CVE-2026-42271: https://nvd.nist.gov/vuln/detail/CVE-2026-42271