LiteLLM RCE chain CVE-2026-42271 sees active exploitation

CVE-2026-42271 is a command injection vulnerability in LiteLLM versions 1.74.2 through 1.83.6, carrying a CVSS score of 8.7. The flaw resides in two MCP server preview endpoints — `POST /mcp-rest/test/connection` and `POST /mcp-rest/test/tools/list` — which accepted a full server configuration in the request body, including `command`, `args`, and `env` fields used by the stdio transport. To test an MCP server over stdio, LiteLLM spawned the supplied command as a subprocess on the proxy host with no sandbox and no allowlist, turning a convenience feature into arbitrary code execution running as the LiteLLM process. On its own, the flaw required a valid API key, making it "authenticated" RCE.

The chain becomes unauthenticated when combined with CVE-2026-48710 ("BadHost"), a host-header parsing flaw in Starlette 0.8.3 through 1.0.0 (CVSS 6.5).

The chain becomes unauthenticated when combined with CVE-2026-48710 ("BadHost"), a host-header parsing flaw in Starlette 0.8.3 through 1.0.0 (CVSS 6.5). By appending characters such as `?` or `#` to the `Host` header, an attacker causes Starlette to compute the request path as `/` (a public route) while the router still dispatches to the real administrative endpoint, causing path-based auth middleware to wave the request through. Horizon3.ai published a full working proof-of-concept demonstrating unauthenticated RCE with no login required. The BadHost flaw also affects FastAPI, vLLM, and any ASGI application using path-based auth. CISA added CVE-2026-42271 to its Known Exploited Vulnerabilities catalog on June 9, 2026, citing confirmed active exploitation in the wild — triggering mandatory remediation deadlines for US federal agencies.

The article by Avinash Sangle notes this is LiteLLM's second critical incident in three months, following a March 2026 poisoned-dependency incident that exfiltrated credentials. The prescribed remediation is to upgrade both LiteLLM to 1.83.7 and Starlette to 1.0.1, restart the proxy, and confirm the new versions are live. Crucially, the article emphasizes that patching alone is insufficient if the proxy was exposed: every provider key, master key, and database credential the gateway touched must be rotated, since patching cannot un-leak a secret an attacker already read.

Key facts

1. 01CVE-2026-42271 is a command injection flaw in LiteLLM's MCP test endpoints, CVSS 8.7, affecting versions 1.74.2 through 1.83.6.
2. 02CVE-2026-48710 ('BadHost') is a Starlette host-header bypass flaw, CVSS 6.5, affecting Starlette 0.8.3 through 1.0.0.
3. 03Chained together, the two CVEs produce fully unauthenticated RCE on the LiteLLM proxy.
4. 04CISA added CVE-2026-42271 to its Known Exploited Vulnerabilities catalog on June 9, 2026, citing confirmed active exploitation.
5. 05Horizon3.ai published a working proof-of-concept demonstrating the full unauthenticated RCE chain.
6. 06The fix requires upgrading to LiteLLM 1.83.7 and Starlette 1.0.1, plus rotating all credentials the gateway touched.
7. 07This is LiteLLM's second critical incident in three months, following a March 2026 poisoned-dependency credential-exfiltration event.

Topics