CISA — CVE-2026-42271 Added to KEV Catalog; Active Exploitation Confirmed

AI relevance: CISA's KEV listing triggers mandatory patching deadlines for US federal agencies — and the chained exploit that combines CVE-2026-42271 (command injection in LiteLLM's MCP test endpoints) with CVE-2026-48710 (Starlette BadHost auth bypass) delivers fully unauthenticated RCE on the most widely deployed LLM proxy worldwide.

What happened

• June 8, 2026 — CISA added CVE-2026-42271 to its Known Exploited Vulnerabilities (KEV) catalog, citing confirmed active exploitation in the wild.
• The vulnerability is a command injection flaw in LiteLLM's MCP server test endpoints (POST /mcp-rest/test/connection and POST /mcp-rest/test/tools/list), which accepted arbitrary command, args, and env fields and spawned them as subprocesses on the proxy host.
• Horizon3.ai chained this with CVE-2026-48710 (BadHost — a Starlette host-header validation bypass) to achieve unauthenticated RCE with no credentials required, producing a combined CVSS of 10.0 Critical.
• The disclosure timeline is compressed: CVE-2026-42271 was disclosed April 20, patched May 8 in LiteLLM 1.83.7, made public May 26, and added to KEV on June 8 — just 50 days from disclosure to active-exploitation confirmation.
• US federal agencies are required to patch KEV-listed vulnerabilities within the CISA-mandated deadline; civilian agencies have until June 29, 2026.
• No details on the identity of threat actors or specific targets have been released, but CISA's KEV addition is based on observed exploitation rather than proof-of-concept activity.

Why it matters

A KEV listing transforms a vulnerability from a security advisory into a compliance obligation. Any organization with federal contracts, CMMC obligations, or cyber insurance tied to CISA advisories should treat this as a priority remediation item. The chained attack path means that simply fixing the LiteLLM side isn't sufficient — the Starlette dependency must also be patched, or the authentication bypass renders the LiteLLM fix moot. With LiteLLM at 95M+ downloads and estimated 36% penetration in cloud environments, the attack surface is massive and the exploit is now confirmed weaponized.

What to do

• Upgrade LiteLLM to 1.83.7+ immediately — check with pip show litellm.
• Upgrade Starlette to 1.0.1+ across all AI infrastructure (LiteLLM, vLLM, custom FastAPI services).
• If immediate patching isn't possible, block POST /mcp-rest/test/connection and POST /mcp-rest/test/tools/list at your reverse proxy or API gateway.
• Rotate all API keys and credentials stored in any LiteLLM instance that was exposed to the internet prior to patching.
• Scan with badhost.org to detect BadHost (CVE-2026-48710) exposure on your Starlette deployments.

Sources

• CISA — Known Exploited Vulnerabilities Catalog
• CybelAngel — 7 Things to Know About CVE-2026-42271
• Horizon3.ai — Chained Exploit Analysis
• The Hacker News — LiteLLM Flaw Exploited in the Wild