LiteLLM RCE actively exploited (CVE-2026-42271) [PoC]
CVE-2026-42271
CVE-2026-42271: LiteLLM 1.74.2-1.83.7 authenticated RCE via MCP endpoints (CVSS 8.8). Actively exploited. Update to 1.83.7 immediately.
Actively exploited in the wild - CVE-2026-42271 is a high-severity remote code execution vulnerability in LiteLLM proxy server versions 1.74.2 through 1.83.7 that lets any authenticated user run arbitrary commands on the host. Patched in version 1.83.7 - update immediately.
Overview
LiteLLM, an AI Gateway proxy that provides OpenAI-format API access to multiple LLM backends, contains a critical flaw in two MCP test endpoints: POST /mcp-rest/test/connection and POST /mcp-rest/test/tools/list. These endpoints accept a full server configuration in the request body, including command, args, and env fields for stdio transport. When a stdio configuration is provided, the endpoint spawns the supplied command as a subprocess on the proxy host.
The vulnerability is gated only by possession of a valid proxy API key - no role or privilege check is performed. Any authenticated user, including holders of low-privilege internal-user keys, can execute arbitrary commands on the host running the LiteLLM proxy.
Impact
Successful exploitation allows an attacker to execute arbitrary commands with the privileges of the LiteLLM proxy process. This typically provides initial access to the host, enabling lateral movement, credential theft, data exfiltration, or deployment of additional malware. Given CISA’s confirmation of active exploitation, this vulnerability poses an immediate threat to affected deployments.
Affected Versions
- Affected: LiteLLM versions 1.74.2 through 1.83.6
- Fixed: LiteLLM version 1.83.7
Deployments running earlier versions (pre-1.74.2) are not affected by this specific issue but should still be updated.
Remediation
- Immediately update LiteLLM to version 1.83.7 or later.
- Restrict API key permissions to the minimum required for legitimate operations.
- Monitor for anomalous process creation on proxy hosts - watch for unexpected command execution or connections to external IPs.
- Audit access logs for unusual MCP endpoint activity, particularly from internal-user API keys.
Security Insight
This vulnerability highlights a recurring pattern in modern AI infrastructure: exposing powerful debug or test endpoints with insufficient authorization. The trend of “ship the admin functionality, add proper auth later” has become a common attack vector as organizations race to deploy AI gateways. The lesson from this incident - and similar flaws in other AI proxies - is that test endpoints should never reach production environments, and when they do, they must enforce the same authorization model as production endpoints. Read more about related AI infrastructure threats in our security news and check for related vulnerabilities in our breach reports.
Further Reading
Never miss a critical vulnerability
Get real-time security alerts delivered to your preferred platform.
Public PoC References
Unverified third-party code
These repositories are publicly listed on GitHub and have not been audited by Yazoul Security. They may contain malware, backdoors, destructive payloads, or operational security risks (telemetry, exfiltration). Treat them as hostile binaries. Inspect source before execution. Run only in isolated, disposable lab environments (offline VM, no credentials, no production data).
Authorized use only. This information is provided for defensive research, detection engineering, and patch validation. Using exploit code against systems you do not own or do not have explicit written permission to test is illegal in most jurisdictions and violates Yazoul's terms of use.
| Repository | Stars |
|---|---|
| learner202649/CVE-2026-42271-PoC The code for personally reproducing the corresponding vulnerability | ★ 0 |
Showing 1 of 1 known references. Source: nomi-sec/PoC-in-GitHub.
Nuclei Detection Templates
Detection template available — your exposure is being scanned
The templates below are YAML signatures for the Nuclei scanner from ProjectDiscovery. They are not exploit code — they are detection rules that confirm whether a target is vulnerable. The presence of a Nuclei template means every bug bounty hunter, AppSec team, red team, and reconnaissance pipeline on the public internet is actively probing for this CVE.
Assume your exposed instances have already been touched. Patch immediately even if no exploitation is observed yet — fingerprinting precedes exploitation by days at most.
| Template | Source |
|---|---|
CVE-2026-42271.yaml | View YAML |
1 Nuclei template indexed for this CVE. Source: projectdiscovery/nuclei-templates.
Related Advisories
LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. From version 1.81.16 to before version 1.83.7, a database query used during proxy API key checks mixed the caller-...
A flaw has been found in Linksys MR9600 2.0.6.206937. Affected is the function smartConnectConfigure of the file SmartConnect.lua. Executing a manipulation of the argument configApSsid/configApPassphr...
Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Prior to version 8.2.6.3, a command injection vulnerability exists in the `/config/compare/<service>/<server_ip>/...
IBM Sterling B2B Integrator and and IBM Sterling File Gateway 6.1.0.0 through 6.1.2.7_2, 6.2.0.0 through 6.2.0.5_1, 6.2.1.0 through 6.2.1.1_1, and 6.2.2.0 could allow an unauthenticated attacker to se...