LiteLLM vulnerability under active attack, CISA warns (CVE-2026-42271)
A command injection vulnerability (CVE-2026-42271) in BerryAI’s LiteLLM open-source AI gateway is being exploited by attackers, the US Cybersecurity and Infrastructure Security Agency (CISA) confirmed by adding the flaw to its Known Exploited Vulnerabilities catalog on Monday.
CVE-2026-42271 exploited" title="LiteLLM">
About CVE-2026-42271
LiteLLM is an open-source library that provides a unified interface for calling many different large language model APIs using a single (OpenAI) format.
It’s used by both developers and enterprises, to avoid vendor lock-in, centrally manage API keys and costs, and route or load-balance AI traffic without rewriting integration code.
LiteLLM can be used either by directly integrating the Python SDK (software development kit) in applications, or can be run as a standalone AI gateway / proxy server that teams and organizations can point their apps at.
CVE-2026-42271, which was publicly disclosed in April 2026, arises from improper neutralization of special elements used in a command and OS command.
“Two endpoints used to preview an MCP server before saving it — POST /mcp-rest/test/connection and POST /mcp-rest/test/tools/list — accepted a full server configuration in the request body, including the command, args, and env fields used by the stdio [Standard Input/Output] transport,” the company’s GitHub advisory explains.
“When called with a stdio configuration, the endpoints attempted to connect, which spawned the supplied command as a subprocess on the proxy host with the privileges of the proxy process. The endpoints were gated only by a valid proxy API key, with no role check. Any authenticated user — including holders of low-privilege internal-user keys — could therefore run arbitrary commands on the host.”
“BadHost” vulnerability lowers the bar for LiteLLM attackers
It was initially believed that attackers needed a valid proxy API key to successfully exploit CVE-2026-42271.
However, Horizon3.ai researchers confirmed that this requirement can be eliminated if attackers can exploit CVE-2026-48710, an authentication bypass vulnerability dubbed BadHost, which affects Starlette – a lightweight Python web framework that LiteLLM uses to handle HTTP requests.
“Successful exploitation allows attackers to: execute arbitrary commands on the LiteLLM host, access model provider credentials, steal API keys and secrets stored by the proxy, move laterally into connected AI infrastructure, [and] compromise downstream systems integrated with the gateway,” they noted, and shared a list of indicators and activity that may point to compromise.
CVE-2026-48710 has been fixed in Starlette v1.0.1.
LiteLLM is a recurring target
A fix for CVE-2026-42271 has been added to v1.83.7 of the LiteLLM library, and includes additional authorization controls (allowing only users with the PROXY_ADMIN role to call the test endpoints) and updated Starlette dependencies.
Individuals and organizations using LiteLLM have been advised to upgrade to the fixed version or, if that’s not possible, to block access to the above-mentioned MCP test endpoints, restrict network access to trusted segments, and rotate credentials stored by the proxy.
Unfortunately, no details are available about the attack(s) in which CVE-2026-42271 is being leveraged, and no confirmation that attackers are exploiting CVE-2026-48710 at the same time. CISA has directed US federal civilian agencies to address CVE-2026-42271 by June 22, 2026.
This is the second time in a month that a publicly disclosed LiteLLM flaw has been weaponized by attackers.
In March 2026, BerryAI was also hit with a supply chain attack by TeamPCP, which resulted in the publishing of malicious LiteLLM versions on the Python Package Index (PyPI).