CVE-2026-42271
Analyzed Analyzed - Analysis Complete
LiteLLM Proxy Server Command Injection Vulnerability

Publication date: 2026-05-08

Last updated on: 2026-06-09

Assigner: GitHub, Inc.

Description
LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. From version 1.74.2 to before version 1.83.7, two endpoints used to preview an MCP server before saving it β€” POST /mcp-rest/test/connection and POST /mcp-rest/test/tools/list β€” accepted a full server configuration in the request body, including the command, args, and env fields used by the stdio transport. When called with a stdio configuration, the endpoints attempted to connect, which spawned the supplied command as a subprocess on the proxy host with the privileges of the proxy process. The endpoints were gated only by a valid proxy API key, with no role check. Any authenticated user β€” including holders of low-privilege internal-user keys β€” could therefore run arbitrary commands on the host. This issue has been patched in version 1.83.7.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-08
Last Modified
2026-06-09
Generated
2026-06-19
AI Q&A
2026-05-08
EPSS Evaluated
2026-06-18
NVD
CVE-2026-42271
EUVD
EUVD-2026-28507
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
litellm litellm From 1.74.2 (inc) to 1.83.7 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
CWE-77 The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-42271 is a high-severity vulnerability in the LiteLLM proxy server versions 1.74.2 to before 1.83.7. Two endpoints used for previewing an MCP server accepted a full server configuration including command, args, and env fields. When these endpoints were called with a stdio configuration, they spawned the supplied command as a subprocess on the proxy host with the privileges of the proxy process.

These endpoints were only protected by a valid proxy API key and did not perform any role checks, meaning any authenticated user, even those with low-privilege internal-user keys, could execute arbitrary commands on the host system.

This vulnerability was patched in version 1.83.7 by requiring the PROXY_ADMIN role for these endpoints.

Compliance Impact

The vulnerability allows any authenticated user with a valid proxy API key, including low-privilege users, to execute arbitrary commands on the host system. This unauthorized command execution can lead to unauthorized access, data breaches, or manipulation of sensitive information.

Such unauthorized access and potential data compromise can negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require strict controls over access to sensitive data and systems, as well as measures to prevent unauthorized actions.

Because the vulnerability permits privilege escalation and arbitrary command execution without proper role checks, it increases the risk of violating data protection and security requirements mandated by these regulations.

Impact Analysis

This vulnerability allows any authenticated user with a valid proxy API key to execute arbitrary commands on the host system running the LiteLLM proxy server.

Such arbitrary command execution can lead to unauthorized access, data compromise, system disruption, or full control over the proxy host, depending on the privileges of the proxy process.

Because low-privilege users can exploit this, it significantly increases the risk of insider threats or compromised credentials being used to escalate attacks.

Detection Guidance

This vulnerability can be detected by monitoring for requests to the two vulnerable endpoints: POST /mcp-rest/test/connection and POST /mcp-rest/test/tools/list.

You can look for API calls that include a full server configuration in the request body, especially those containing command, args, and env fields that might be used to spawn subprocesses.

To detect exploitation attempts, you can search your web server or proxy logs for POST requests to these endpoints with suspicious payloads.

  • Use tools like curl or wget to simulate requests and verify if the endpoints are accessible without proper role checks.
  • Example command to check access (replace <host> and <api_key>):
  • curl -X POST https://<host>/mcp-rest/test/connection -H "Authorization: Bearer <api_key>" -d '{"command":"id"}'
  • Check logs for unexpected command execution or subprocess spawning related to these endpoints.
Mitigation Strategies

The primary mitigation is to upgrade LiteLLM to version 1.83.7 or later, where the vulnerability is patched.

If immediate upgrade is not possible, block access to the vulnerable endpoints POST /mcp-rest/test/connection and POST /mcp-rest/test/tools/list at the reverse proxy or API gateway.

Ensure that only users with the PROXY_ADMIN role can access these endpoints after upgrading.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-42271. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart