CVE-2026-42271

HIGH LAB

LiteLLM: Authenticated command execution via MCP stdio test endpoints

Title source: cna

Exploitation Summary

EIP tracks 1 public exploit for CVE-2026-42271. PoCs published by learner202649.

AI-analyzed exploit summary This repository contains a functional exploit for CVE-2026-42271, targeting LiteLLM's MCP stdio command injection vulnerability. The exploit leverages the POST /mcp-rest/test/connection and POST /mcp-rest/test/tools/list endpoints to execute arbitrary commands on a vulnerable LiteLLM instance.

Description

LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. From version 1.74.2 to before version 1.83.7, two endpoints used to preview an MCP server before saving it — POST /mcp-rest/test/connection and POST /mcp-rest/test/tools/list — accepted a full server configuration in the request body, including the command, args, and env fields used by the stdio transport. When called with a stdio configuration, the endpoints attempted to connect, which spawned the supplied command as a subprocess on the proxy host with the privileges of the proxy process. The endpoints were gated only by a valid proxy API key, with no role check. Any authenticated user — including holders of low-privilege internal-user keys — could therefore run arbitrary commands on the host. This issue has been patched in version 1.83.7.

Exploits (1)

github WORKING POC

by learner202649 · pythonpoc

https://github.com/learner202649/CVE-2026-42271-PoC

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2026-42271, targeting LiteLLM's MCP stdio command injection vulnerability. The exploit leverages the POST /mcp-rest/test/connection and POST /mcp-rest/test/tools/list endpoints to execute arbitrary commands on a vulnerable LiteLLM instance.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: LiteLLM versions >= 1.74.2, < 1.83.7

Auth required

Prerequisites: Valid LiteLLM API key · Access to vulnerable LiteLLM instance

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed May 20, 2026 Full analysis →

References (2)

Core 2

Core References

X_Refsource_Confirm x_refsource_confirm

https://github.com/BerriAI/litellm/security/advisories/GHSA-v4p8-mg3p-g94g

X_Refsource_Misc x_refsource_misc

https://github.com/BerriAI/litellm/releases/tag/v1.83.7-stable

Scores

CVSS v3 8.8

EPSS 0.0002

EPSS Percentile 6.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Lab Environment

COMMUNITY

Community Lab

docker pull ghcr.io/berriai/litellm@sha256:7c311546c25e7bb6e8cafede9fcd3d0d622ac636b5c9418befaa32e85dfb0186

docker pull ghcr.io/berriai/litellm@sha256:af0152ca6dfb6703b35c0d4899effa9ac132bce9a4fbcbe1dc6ef145c100db26

https://github.com/learner202649/CVE-2026-42271-PoC

View in Library

Details

CWE

CWE-77 CWE-78

Status published

Products (3)

BerriAI/litellm >= 1.74.2, < 1.83.7

litellm/litellm 1.74.2 - 1.83.7

pypi/litellm 1.74.2 - 1.83.7PyPI

Published May 08, 2026

Tracked Since May 08, 2026