CVE-2026-42271 — BerriAI LiteLLM: low-privilege command injection to host RCE, added to CISA KEV
From CTI Daily Brief — 2026-06-09 · published 2026-06-09 · view item permalink →
CISA added CVE-2026-42271 to its KEV catalog on 8 June 2026, confirming active exploitation of a command-injection flaw in LiteLLM, the open-source AI gateway/proxy widely deployed to multiplex LLM API calls in enterprise AI stacks (GitHub Advisory GHSA-v4p8-mg3p-g94g). Two preview endpoints — POST /mcp-rest/test/connection and POST /mcp-rest/test/tools/list — accept a full MCP server configuration (command, args, env) in the request body; with stdio transport, the proxy spawns the supplied command on the host under the proxy's privileges. The endpoints were gated only by a valid API key with no role check, so any authenticated user (including low-privilege internal keys) could execute arbitrary commands. Horizon3.ai documents that chaining with CVE-2026-48710 (a Starlette Host-header validation bypass) makes the path unauthenticated (Horizon3.ai, 2026-06-01). Affected: LiteLLM 1.74.2 to < 1.83.7; fixed in 1.83.7, which adds role-based authorization on the MCP test endpoints.
CVE Summary Table
| CVE | Product | CVSS | EPSS | KEV | Exploited | Patch | Source |
|---|---|---|---|---|---|---|---|
| CVE-2026-50751 | Check Point Security Gateway (IKEv1 Remote Access / Mobile Access VPN) | 9.3 | n/a | Yes (2026-06-08) | Yes (since 2026-05-07, Qilin affiliate) | Hotfix sk185033 | Check Point |
| CVE-2026-42271 | BerriAI LiteLLM proxy (1.74.2 → < 1.83.7) | 8.7 | n/a | Yes (2026-06-08) | Yes (CISA-confirmed) | Upgrade to 1.83.7 | GitHub Advisory |