CVE Catalog

Actively exploited in the wild

BerriAI LiteLLM Command Injection Vulnerability

BerriAI — LiteLLM · Listed in the CISA KEV since 2026-06-08. This indicates confirmed attacks in production environments.

Required action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

CVE-2026-42271

HighCVSS 8.8KEV
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Very high risk
80.19%

100th percentile — higher than 100% of all known CVEs

Summary

LiteLLM versions 1.74.2 through 1.83.6 have a vulnerability in the POST /mcp-rest/test/connection and POST /mcp-rest/test/tools/list endpoints, which accept a full MCP server configuration including commands to execute. An authenticated user with any API key (even low-privilege) can run arbitrary commands on the proxy host.

Risk Assessment

An attacker with API access can take over the proxy server by executing arbitrary commands, compromising confidentiality, integrity, and availability of the system.

Recommendation

Immediately upgrade LiteLLM to version 1.83.7 or later. Restrict API access to trusted users and apply the principle of least privilege.

Original NVD description (English source)

LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. From version 1.74.2 to before version 1.83.7, two endpoints used to preview an MCP server before saving it — POST /mcp-rest/test/connection and POST /mcp-rest/test/tools/list — accepted a full server configuration in the request body, including the command, args, and env fields used by the stdio transport. When called with a stdio configuration, the endpoints attempted to connect, which spawned the supplied command as a subprocess on the proxy host with the privileges of the proxy process. The endpoints were gated only by a valid proxy API key, with no role check. Any authenticated user — including holders of low-privilege internal-user keys — could therefore run arbitrary commands on the host. This issue has been patched in version 1.83.7.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS