LiteLLM CVE-2026-42271 — Unauthenticated RCE via Starlette bypass

AI relevance: LiteLLM is the most widely deployed open-source AI gateway for routing model-provider APIs; when exposed to the internet, the two-vuln chain gives any remote attacker full host compromise — including exfiltration of model-provider credentials and lateral movement into downstream AI infrastructure.

What happened

• CVE-2026-42271 (CVSS 8.7) is a command injection flaw in BerriAI LiteLLM's /mcp-rest/test/connection and /mcp-rest/test/tools/list endpoints. A request with a stdio transport config causes LiteLLM to spawn the supplied command field as a subprocess on the proxy host.
• CVE-2026-48710 is a Host header validation bypass in Starlette ≤ 1.0.0, the HTTP framework LiteLLM uses. It allows attackers to circumvent proxy API key authentication entirely.
• Chained together, the two flaws yield unauthenticated remote code execution. No API key, no valid session — just a crafted POST.
• CISA added CVE-2026-42271 to its KEV catalog on June 8 after confirming active exploitation. FCEB agencies now have binding remediation obligations.
• Affected: LiteLLM ≥ 1.74.2 and < 1.83.7, especially when paired with Starlette ≤ 1.0.0.
• Horizon3.ai researchers published proof-of-concept exploits demonstrating the unauthenticated RCE chain.

Observed exploitation

• Attackers are running automated scanners for exposed LiteLLM instances.
• Post-compromise activity includes web shell deployment, persistence installation, model-provider credential theft, and lateral movement into connected AI systems.
• Impact extends beyond the gateway: stolen API keys can grant access to upstream model providers and downstream orchestration layers.

Why it matters

LiteLLM sits at the authentication boundary for dozens of model providers in production AI stacks. A single exposed instance chains to full host compromise with zero authentication. The Starlette bypass eliminates the only remaining gatekeeper. Every organization running LiteLLM as a proxy — particularly those exposing it to the internet — should treat this as a priority patch.

What to do

• Upgrade LiteLLM to ≥ 1.83.7 — adds PROXY_ADMIN role enforcement on the test endpoints.
• Upgrade Starlette to ≥ 1.0.1 — fixes the Host header bypass.
• If patching isn't immediate: block /mcp-rest/test/connection and /mcp-rest/test/tools/list at your reverse proxy; restrict network access to trusted segments only.
• Rotate all credentials stored by the proxy (model API keys, internal-user keys, any secrets reachable from the host).
• Scan logs for requests to the MCP test endpoints, unusual Host header values, and unexpected subprocess execution.

Sources

• The Hacker News — CVE-2026-42271 exploited in the wild
• CISA — KEV catalog addition (June 8)
• Rescana — Active exploitation alert with technical chain analysis
• Help Net Security — CISA warning and mitigation details