Cybersecurity experts have identified an ongoing exploitation of a severe vulnerability in LiteLLM, an open-source AI gateway proxy. This vulnerability allows unauthorized remote code execution (RCE) on systems using affected versions. Researchers from Horizon3.ai reported that a combination of two CVEs results in a CVSS 10.0 critical threat, necessitating no credentials for exploitation.
Understanding the Core Vulnerability
The primary concern revolves around CVE-2026-42271, a command injection issue within LiteLLM’s Model Context Protocol (MCP) server. This flaw exists in two endpoints, POST /mcp-rest/test/connection and POST /mcp-rest/test/tools/list, which accept and execute server configurations as subprocesses. Initially, this flaw required an API key, but subsequent findings have shown that it can be exploited without one.
Horizon3.ai discovered that by leveraging CVE-2026-48710, a vulnerability in the Starlette framework, attackers can bypass authentication entirely. This manipulation uses the HTTP Host header, allowing remote commands to be executed with the same privileges as the LiteLLM proxy process.
Implications for AI Infrastructure
The impact of this vulnerability is extensive, potentially affecting LiteLLM versions 1.74.2 through 1.83.6. A successful attack can execute arbitrary operating system commands, compromising API keys and accessing sensitive information managed by the proxy.
Given LiteLLM’s role in managing API calls to large language models from providers like OpenAI and Azure, the breach of this gateway could lead to widespread exposure across AI supply chains. The risk underscores the importance of immediate action to mitigate potential threats.
Mitigation and Protection Strategies
Organizations are urged to update LiteLLM to version 1.83.7 or later and ensure Starlette is upgraded to version 1.0.1. In cases where immediate patching is not feasible, interim protective measures include blocking external MCP endpoint access, restricting network access to trusted areas, and rotating stored credentials.
Security teams should remain vigilant for signs of exploitation, such as unexpected subprocess executions, irregular HTTP requests targeting specific endpoints, and unauthorized commands on host systems. Monitoring for these indicators is critical in preventing further breaches.
Given the active exploitation of this vulnerability, patching should be prioritized urgently for any organizations deploying LiteLLM. Staying informed and proactive is crucial in maintaining security integrity in AI infrastructures.
Follow our updates on Google News, LinkedIn, and X for more information and alerts on cybersecurity developments.
