What happened
LiteLLM's MCP test endpoints spawn arbitrary subprocesses from attacker-supplied commands without validation. CISA added to KEV catalog 2026-06-09 with active in-the-wild exploitation confirmed. Chains with Starlette host-header bypass for unauthenticated access.
Why it matters
LiteLLM is the most widely deployed open-source AI gateway, routing requests to 100+ model providers. Command injection combined with auth bypass = unauthenticated RCE on the central point of trust for all organization AI interactions. Every prompt, response, and credential passes through the compromised gateway.
Attack vector
POST /mcp-rest/test/connection or /mcp-rest/test/tools/list endpoints accept unsanitized 'command' field; subprocess spawning without validation; chains with CVE-2026-48710 (Starlette host-header bypass) for unauthenticated RCE (CVSS combined 10.0)
Affected systems
LiteLLM 1.74.2 through 1.83.6 (fixed in 1.83.7); affects all model providers routed through LiteLLM
Mitigation
Patch to LiteLLM 1.83.7+ immediately; update Starlette to 1.0.1+; rotate ALL provider API keys, master keys, and database credentials; restrict MCP test endpoints network access