Critical Command Injection Flaw in LiteLLM AI Gateway Under Active Exploitation The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2026-42271, a command injection vulnerability in BerryAI’s LiteLLM open-source AI gateway, to its Known Exploited Vulnerabilities (KEV) catalog after confirming active exploitation. The flaw, disclosed in April 2026, affects organizations using LiteLLM a widely adopted library that standardizes interactions with multiple large language model (LLM) APIs under a single OpenAI-compatible interface. ### Vulnerability Details LiteLLM is used by developers and enterprises to manage API keys, route AI traffic, and avoid vendor lock-in, either as a Python SDK or a standalone proxy server. The vulnerability stems from improper input sanitization in two endpoints `POST /mcp-rest/test/connection` and `POST /mcp-rest/test/tools/list` which allowed authenticated users (including those with low-privilege API keys) to execute arbitrary commands on the host system. Exploitation required only a valid proxy API key, with no role-based access controls in place. ### Exploitation Risks & Attack Chain Initially, attackers needed a valid API key to exploit CVE-2026-42271, but researchers at Horizon3.ai discovered that the requirement could be bypassed by chaining it with CVE-2026-48710 ("BadHost"), an authentication bypass flaw in Starlette, the Python web framework underpinning LiteLLM. Successful exploitation enables: - Arbitrary command execution on the LiteLLM host - Theft of model provider credentials and API keys - Lateral movement into connected AI infrastructure - Compromise of downstream systems CVE-2026-48710 was patched in Starlette v1.0.1, while CVE-2026-42271 was addressed in LiteLLM v1.83.7, which introduced role-based restrictions (limiting test endpoint access to PROXY_ADMIN users) and updated Starlette dependencies. ### Mitigation & Federal Response Organizations using LiteLLM are urged to upgrade to v1.83.7 or, if immediate patching is not feasible, block access to the vulnerable MCP test endpoints and restrict network access to trusted segments. Credentials stored by the proxy should also be rotated. CISA has mandated U.S. federal civilian agencies to remediate the flaw by June 22, 2026. ### Broader Context This marks the second time in a month that LiteLLM has been targeted by attackers. In March 2026, threat group TeamPCP compromised BerryAI’s supply chain, publishing malicious LiteLLM versions on the Python Package Index (PyPI). No details have been released about the current exploitation campaigns or whether CVE-2026-48710 is being actively leveraged alongside the command injection flaw.