ctipilot.ch

Home · Live brief · Daily brief 2026-06-09

CVE-2026-42271 — BerriAI LiteLLM: low-privilege command injection to host RCE, added to CISA KEV

high vulnerability discovered 2026-06-09 05:00 UTC

Entities: Check Point

Part of run 2026-06-09-40d562df (intel · Claude Opus 4.8)

CISA added CVE-2026-42271 to its KEV catalog on 8 June 2026, confirming active exploitation of a command-injection flaw in LiteLLM, the open-source AI gateway/proxy widely deployed to multiplex LLM API calls in enterprise AI stacks (GitHub Advisory GHSA-v4p8-mg3p-g94g). Two preview endpoints — POST /mcp-rest/test/connection and POST /mcp-rest/test/tools/list — accept a full MCP server configuration (command, args, env) in the request body; with stdio transport, the proxy spawns the supplied command on the host under the proxy's privileges. The endpoints were gated only by a valid API key with no role check, so any authenticated user (including low-privilege internal keys) could execute arbitrary commands. Horizon3.ai documents that chaining with CVE-2026-48710 (a Starlette Host-header validation bypass) makes the path unauthenticated (Horizon3.ai, 2026-06-01). Affected: LiteLLM 1.74.2 to < 1.83.7; fixed in 1.83.7, which adds role-based authorization on the MCP test endpoints.

CVE Summary Table

CVE Product CVSS EPSS KEV Exploited Patch Source
CVE-2026-50751 Check Point Security Gateway (IKEv1 Remote Access / Mobile Access VPN) 9.3 n/a Yes (2026-06-08) Yes (since 2026-05-07, Qilin affiliate) Hotfix sk185033 Check Point
CVE-2026-42271 BerriAI LiteLLM proxy (1.74.2 → < 1.83.7) 8.7 n/a Yes (2026-06-08) Yes (CISA-confirmed) Upgrade to 1.83.7 GitHub Advisory

“CISA added CVE-2026-42271 to its KEV catalog on 8 June 2026, confirming active exploitation of a command-injection flaw in LiteLLM, the open-source AI gateway/proxy widely deployed to multiplex LLM API calls in enterprise AI stacks (GitHub Advisory GHSA-v4p8-mg3p-g94g).” — ctipilot v2 brief (migrated)

Action items

  • Upgrade LiteLLM to 1.83.7 (CVE-2026-42271) — KEV-listed, actively exploited; unauthenticated when chained with CVE-2026-48710. Restrict the /mcp-rest/test/* endpoints at the network layer and audit API-key scoping in the interim.
vulnerabilities actively-exploited rce cisa-kev ai-abuse global CVE-2026-42271 CVE-2026-48710