Horizon3 — CVE-2026-42271 Chained with BadHost for Unauthenticated LiteLLM RCE
AI relevance: LiteLLM (95M+ downloads) is a core proxy in AI serving stacks worldwide — chaining an unauthenticated RCE with an auth-bypass means any exposed LiteLLM instance can become a full remote shell without credentials.
Horizon3 has confirmed a full unauthenticated remote code execution chain against LiteLLM by combining two separate vulnerabilities:
- CVE-2026-42271 — an RCE flaw in LiteLLM itself, disclosed May 8, 2026. The vulnerability requires authentication to exploit in its standalone form.
- CVE-2026-48710 ("BadHost") — a host-header injection in Starlette that bypasses path-based access controls with a single malformed character in the HTTP Host header. Starlette 1.0.1 patched this on May 21.
When chained, the BadHost bypass strips away the authentication gate entirely, turning the LiteLLM RCE from a credentialed exploit into a fully unauthenticated attack. The result: any LiteLLM deployment running on an unpatched Starlette version (and directly exposed without a reverse proxy) can be turned into a remote shell by an attacker with network access.
Why it matters
LiteLLM sits between LLM consumers and upstream providers (OpenAI, Anthropic, Azure, etc.) — it routes API keys, manages rate limits, and handles billing. An RCE on a LiteLLM instance exposes all configured API keys, tenant routing tables, and any downstream models. The BadHost vuln was discovered during an OSTIF-sponsored audit of vLLM, underscoring that the entire Python AI serving stack shares this dependency surface. Internal AI labs and development environments are at highest risk, as they rarely sit behind CDN or reverse-proxy layers that would normalize the Host header before it reaches Starlette.
What to do
- Upgrade Starlette to 1.0.1+ across all AI infrastructure (LiteLLM, vLLM, custom FastAPI services).
- Audit LiteLLM instances running versions published before May 8, 2026.
- Ensure AI serving endpoints are behind a reverse proxy or CDN that validates and normalizes Host headers before they reach the ASGI layer.
- Use badhost.org to scan for BadHost exposure.