CVE-2026-42271

HIGH KEV NUCLEI LAB

LiteLLM: Authenticated command execution via MCP stdio test endpoints

Title source: cna
STIX 2.1

Exploitation Summary

CVE-2026-42271 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added June 8, 2026. EIP tracks 4 public exploits from researchers including SecureWithUmer, amnsecurity, HORKimhab. A Nuclei detection template is also available.

AI-analyzed exploit summary This repository contains no functional exploit code, technical details, or vulnerability analysis for CVE-2026-42271. It only includes placeholder files (README, LICENSE, .gitignore, and a template file) with generic educational disclaimers and setup instructions.

Description

LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. From version 1.74.2 to before version 1.83.7, two endpoints used to preview an MCP server before saving it — POST /mcp-rest/test/connection and POST /mcp-rest/test/tools/list — accepted a full server configuration in the request body, including the command, args, and env fields used by the stdio transport. When called with a stdio configuration, the endpoints attempted to connect, which spawned the supplied command as a subprocess on the proxy host with the privileges of the proxy process. The endpoints were gated only by a valid proxy API key, with no role check. Any authenticated user — including holders of low-privilege internal-user keys — could therefore run arbitrary commands on the host. This issue has been patched in version 1.83.7.

Exploits (4)

github STUB
by SecureWithUmer · c++poc
https://github.com/SecureWithUmer/CVE-2026-PoCs/tree/main/2026/CVE-2026-42271

This repository contains no functional exploit code, technical details, or vulnerability analysis for CVE-2026-42271. It only includes placeholder files (README, LICENSE, .gitignore, and a template file) with generic educational disclaimers and setup instructions.

Classification
Stub 95%
Attack Type
Other
Complexity
Trivial
Reliability
Theoretical
Target: unspecified
No auth needed
mistral-large-3 · analyzed Jul 08, 2026 Full analysis →
github WORKING POC
by amnsecurity · pythonremote
https://github.com/amnsecurity/CVE-2026-42271-LiteLLM-RCE

This repository contains a functional exploit for CVE-2026-42271, a command injection vulnerability in LiteLLM AI Gateway's MCP test endpoints. The exploit leverages unsanitized 'command', 'args', and 'env' fields in user-controlled server configurations to execute arbitrary OS commands on the host.

Classification
Working Poc 98%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: LiteLLM AI Gateway versions 1.74.2 through 1.83.6
Auth required
Prerequisites: Valid LiteLLM API key for authentication · Network access to the LiteLLM proxy endpoint · Target running an affected version of LiteLLM
mistral-large-3 · analyzed Jul 08, 2026 Full analysis →
github STUB
by HORKimhab · poc
https://github.com/HORKimhab/CVE-2026-42271

The repository contains only a template structure with no actual exploit code or technical details about CVE-2026-42271. It includes placeholder files and a generic README with legal disclaimers but no functional PoC.

Classification
Stub 95%
Attack Type
Other
Complexity
Trivial
Reliability
Theoretical
Target: unspecified
No auth needed
mistral-large-3 · analyzed Jun 09, 2026 Full analysis →
github WORKING POC
by learner202649 · pythonremote-auth
https://github.com/learner202649/CVE-2026-42271-PoC

This repository contains a functional exploit for CVE-2026-42271, targeting LiteLLM's MCP stdio command injection vulnerability. The exploit leverages the POST /mcp-rest/test/connection and POST /mcp-rest/test/tools/list endpoints to execute arbitrary commands on a vulnerable LiteLLM instance.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: LiteLLM versions >= 1.74.2, < 1.83.7
Auth required
Prerequisites: Valid LiteLLM API key · Access to vulnerable LiteLLM instance
mistral-large-3 · analyzed May 20, 2026 Full analysis →

Nuclei Templates (1)

LiteLLM - Command Injection
CRITICALby ritikchaddha

Scores

CVSS v3 8.8
EPSS 0.8019
EPSS Percentile 99.6%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation active
Automatable no
Technical Impact total

Lab Environment

COMMUNITY
Community Lab
docker pull ghcr.io/berriai/litellm@sha256:7c311546c25e7bb6e8cafede9fcd3d0d622ac636b5c9418befaa32e85dfb0186
docker pull ghcr.io/berriai/litellm@sha256:af0152ca6dfb6703b35c0d4899effa9ac132bce9a4fbcbe1dc6ef145c100db26
+1 more repos

Details

CISA KEV 2026-06-08
VulnCheck KEV 2026-06-08
ENISA EUVD EUVD-2026-28507
CWE
CWE-77 CWE-78
Status published
Products (5)
BerriAI/litellm >= 1.74.2, < 1.83.7
litellm/litellm 1.74.2 - 1.83.7
pypi/litellm 1.74.2 - 1.83.7PyPI
redhat/openshift_ai 3.4
redhat/openshift_ai 2.25 - 2.25.8
Published May 08, 2026
KEV Added Jun 08, 2026
Tracked Since May 08, 2026