CVE-2026-42271 | LiteLLM is a proxy server (AI Gateway) to call LLM APIs in O… | CVSS 8.7 HIGH

Description

LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. From version 1.74.2 to before version 1.83.7, two endpoints used to preview an MCP server before saving it — POST /mcp-rest/test/connection and POST /mcp-rest/test/tools/list — accepted a full server configuration in the request body, including the command, args, and env fields used by the stdio transport. When called with a stdio configuration, the endpoints attempted to connect, which spawned the supplied command as a subprocess on the proxy host with the privileges of the proxy process. The endpoints were gated only by a valid proxy API key, with no role check. Any authenticated user — including holders of low-privilege internal-user keys — could therefore run arbitrary commands on the host. This issue has been patched in version 1.83.7.

Metadata

CVE ID: CVE-2026-42271
State: PUBLISHED
Assigner: GitHub_M
Reserved: 2026-04-26 11:53 UTC
Published: 2026-05-08 03:35 UTC
Last updated: 2026-06-09 03:55 UTC
Primary CWE: CWE-77
CWE-77: Improper Neutralization of Special Elements used in …
Vendor / Product: BerriAI / litellm
Sources: cve.org · NVD

Severity & Metrics

8.7 HIGH CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:N/SA:N

SSVC — CISA Coordinator

Exploitation: ACTIVE
Automatable: no
Tech. Impact: total

CISA Known Exploited Vulnerability

Vulnerability name: BerriAI LiteLLM Command Injection Vulnerability
Vendor: BerriAI
Product: LiteLLM
Added to KEV: 2026-06-08
Due date: 2026-06-22
Ransomware: Not known

Required action

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

CISA description

BerriAI LiteLLM contains a command injection vulnerability that could allow any authenticated user, including holders of low-privilege internal-user keys, to run arbitrary commands on the host.

Affected products (1)

Vendor	Product	Platform	Versions
BerriAI	litellm	—	>= 1.74.2, < 1.83.7

Weakness (CWE)

CWE	Source	Description
CWE-77	cna	CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')
CWE-78	cna	CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

CVSS scores (1)

Score	Severity	Version	Source	Vector
8.7	HIGH	4.0	cna	CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:N/SA:N

References (2)

https://github.com/BerriAI/litellm/security/advisories/GHSA-v4p8-mg3p-g94g https://github.com/BerriAI/litellm/security/advisories/GHSA-v4p8-mg3p-g94g
https://github.com/BerriAI/litellm/releases/tag/v1.83.7-stable https://github.com/BerriAI/litellm/releases/tag/v1.83.7-stable