CVE-2026-42271 – LiteLLM
“An AI gateway becomes a system gateway when users can execute commands on the host.”
BerriAI patched CVE-2026-42271 in LiteLLM. Versions 1.74.2 through 1.83.6 allowed authenticated users to abuse MCP server testing endpoints to execute arbitrary commands on the host running the LiteLLM proxy. The vulnerable endpoints accepted full server configurations and could spawn attacker-supplied commands as subprocesses with the privileges of the proxy process. The CVSS score is 8.7, which is High severity.
The issue stems from insufficient authorization controls on MCP preview functionality. Any authenticated user with a valid proxy API key, including low-privilege internal users, could execute commands on the underlying system. This vulnerability enables remote code execution and has been patched in version 1.83.7. Active exploitation has been reported.
Key Details
- Affected Product
- Litellm Litellm
- Attack Vector
- Network
- Attack Complexity
- Low
- Privileges Required
- Low
- User Interaction
- None
- CWE Classification
- CWE-77