What happened
LiteLLM's MCP test endpoint accepts shell commands without proper input validation. The command injection flaw (CVSS 8.7) chains with Starlette's host-header validation bypass (CVE-2026-48710, CVSS 6.5) to achieve unauthenticated RCE. CISA added CVE-2026-42271 to KEV on 2026-06-08 with active exploitation confirmed.
Why it matters
LiteLLM is the central chokepoint for AI model access in enterprise deployments. A compromised gateway exposes every provider API key, can rewrite model responses to steer agents toward attacker-chosen tool calls, and gives attackers access to the credential vault holding secrets for downstream AI services.
Attack vector
Unauthenticated attacker invokes command injection in LiteLLM's MCP test endpoint (/mcp-rest/test). When chained with CVE-2026-48710 (Starlette host-header bypass), bypasses authentication and achieves arbitrary command execution on the gateway host.
Affected systems
LiteLLM 1.74.2 through 1.83.6, chained with Starlette 0.8.3 through 1.0.0
Mitigation
Upgrade to LiteLLM 1.83.7 or later and Starlette 1.0.1 or later. Rotate all provider API keys, master keys, and database credentials. CISA federal remediation deadline: 2026-06-22