The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has flagged a significant vulnerability in the BerriAI LiteLLM, adding it to its Known Exploited Vulnerabilities (KEV) catalog. This high-severity flaw, identified as CVE-2026-42271 and carrying a CVSS score of 8.7, is actively being exploited.
Details of the LiteLLM Vulnerability
This command injection vulnerability allows authenticated users to execute arbitrary commands on the host system. The affected component is a specific version of the LiteLLM Python package, primarily through two endpoints designed for testing server configurations: POST /mcp-rest/test/connection and POST /mcp-rest/test/tools/list. The flaw permits a full server configuration in the request body, enabling command execution on the host with the proxy process privileges.
According to BerriAI, the security issue stems from the endpoints being protected solely by a valid proxy API key, making it vulnerable to abuses by authenticated users. To mitigate this, the recent update to version 1.83.7 now requires the PROXY_ADMIN role for these endpoints.
Exploitation Through Starlette Host Header Bypass
In a related development, Horizon3.ai reported the chaining of this vulnerability with another flaw, CVE-2026-48710, a host header validation bypass in the Starlette framework. Starlette, an asynchronous server gateway, was vulnerable in versions up to 1.0.0, allowing attackers to bypass authentication entirely, leading to remote code execution without credentials.
This combined exploit chain, when successful, lets attackers execute arbitrary commands, access sensitive credentials, and potentially compromise integrated systems. The critical nature of this vulnerability is underscored by its combined CVSS score of 10.0.
Recommendations and Mitigations
The extent of exploitation and the identity of the attackers remain unclear. However, it is crucial for users to update LiteLLM to version 1.83.7 and Starlette to version 1.0.1. For those unable to patch immediately, recommended mitigation measures include blocking specific POST requests at the gateway, restricting network access, rotating stored credentials, and monitoring logs for unusual activities.
This incident follows closely on the heels of another serious vulnerability in LiteLLM, CVE-2026-42208, which was exploited shortly after disclosure. Such developments highlight the urgent need for robust cybersecurity practices and timely updates.
As the situation evolves, staying informed and proactive is essential for mitigating potential risks associated with these vulnerabilities.
