Live Latest activity →
Critical Vulnerability

LiteLLM CVE-2026-42271 exploited, chains to RCE

By

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday added a high-severity flaw impacting BerriAI LiteLLM to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of

What Happened

CISA added a high-severity flaw in BerriAI LiteLLM, tracked as CVE-2026-42271, to its Known Exploited Vulnerabilities (KEV) catalog on Monday, citing confirmed evidence of active exploitation. The vulnerability, when chained with additional attack vectors, enables unauthenticated remote code execution (RCE) against exposed LiteLLM proxy instances. CISA issued Binding Operational Directive (BOD) 22-01, mandating federal agencies to patch by a specified deadline, though the broader threat extends to any organization running unpatched LiteLLM versions in production or test environments.

Why It Matters

LiteLLM is widely deployed as a gateway for managing and routing requests to large language models (LLMs) from multiple providers (OpenAI, Anthropic, Cohere, etc.). Organizations adopting generative AI infrastructure increasingly rely on LiteLLM proxies as a centralized access and billing layer. An unauthenticated RCE in this gateway presents a severe risk: attackers can hijack the proxy to intercept API keys, modify model prompts, exfiltrate sensitive data processed through the LLM, or pivot deeper into the internal network. The chaining requirement is minimal - public proof-of-concept code demonstrates the exploit chain is straightforward to execute. With CISA’s KEV inclusion, state-sponsored and criminal threat actors now have a validated, weaponized vulnerability to target.

Technical Details

CVE-2026-42271 is a server-side request forgery (SSRF) vulnerability in LiteLLM’s model configuration parsing logic, specifically related to how the proxy handles custom model endpoints. An attacker with network access to the LiteLLM proxy can craft a malicious request that triggers SSRF, which then chains to a deserialization or injection vulnerability in the proxy’s internal routing mechanism, ultimately achieving shell-level RCE without prior authentication.

Affected versions: All LiteLLM releases prior to the vendor patch that addressed this CVE. The exact patched version string was not disclosed in CISA’s advisory, but organizations should immediately upgrade to the latest stable release.

Observations from in-the-wild exploitation include:

  • Attackers targeting exposed management ports and debug endpoints
  • Chains leveraging SSRF to reach internal metadata services (e.g., cloud instance metadata)
  • Post-exploitation activity includes AWS credential harvesting and lateral movement attempts

Immediate Risk

CRITICAL - the vulnerability meets all three conditions for urgent action:

  1. Exploitation confirmed: CISA has evidence of active use in the wild
  2. Chains to RCE: The SSRF alone is dangerous, but the full chain grants code execution
  3. Broad attack surface: Any organization exposing LiteLLM to the internet (or even internal networks with lateral movement risk) is vulnerable

Organizations should treat unpatched LiteLLM instances as compromised until proven otherwise. The lack of authentication requirement on the initial SSRF vector means any network path to the proxy is sufficient. Cloud deployments are especially high-risk due to SSRF enabling metadata service access.

Security Insight

This incident mirrors the exploitation pattern seen with Apache Log4j and more recently with the Ruby on Rails csv gem - not because the vulnerability class is identical, but because the chaining mechanism exploits implicit trust in the proxy’s configuration surface. The recurring lesson is that LLM infrastructure proxies inherit all the attack surface of API gateways, plus additional risk from model routing logic that can be tricked into making server-side requests. Defenders should treat any LLM proxy component with the same zero-trust posture applied to reverse proxies and API gateways, not as a simple pass-through. Specifically, review your LiteLLM deployment for custom model endpoints that accept user-supplied URLs or hostnames - this is the exact configuration pattern CVE-2026-42271 targets. For more technical details and indicators of compromise, see the full advisory at CVE-2026-42271.

Further Reading

Share:

Never miss a security update

Get real-time security alerts delivered to your preferred platform.

Telegram LinkedIn Mastodon Bluesky

Related News

Critical Jun 9
Chrome V8 Zero-Day CVE-2026-11645 Exploited in the Wild - Patch Now

Google has released security updates to address 74 vulnerabilities, including one that has come under active exploitation in the wild. The high-severity vulnerability, tracked as CVE-2026-11645 (CVSS

Medium Jun 9
CISA Announces Winners of the 2026 President’s Cup Cybersecurity Competition

Critical Jun 8
Critical Check Point VPN Flaw Exploited to Bypass Passwords in IKEv1 Setups

Check Point has warned of active exploitation of a critical vulnerability impacting Remote Access VPN and Mobile Access deployments that are configured to use the deprecated IKEv1 key exchange protoco
Critical Jun 5
CISA Adds Actively Exploited SolarWinds Serv-U DoS Flaw to KEV Catalog

CISA warned today that hackers are now actively exploiting a recently patched high-severity SolarWinds Serv-U flaw to crash servers. [...]

Related Across Yazoul

Advisory high 2026-05-08
LiteLLM RCE actively exploited (CVE-2026-42271) [PoC]

Never Miss a Critical Alert

CVE advisories, breach reports, and threat intel — delivered daily to your inbox.