What happened
Obsidian Security disclosed a three-CVE chain on 2026-06-15 in LiteLLM, an AI gateway broker. The vulnerability allows any low-privilege user to escalate to full administrator and execute arbitrary code on the proxy server. A separate RCE (CVE-2026-42271) in the MCP test endpoints was weaponized within days and added to CISA's KEV catalog. The chain enables response rewriting and steering of downstream agents toward attacker-controlled tool calls.
Why it matters
LiteLLM is a critical control plane for AI applications. Compromise grants attackers access to credentials for 100+ model providers (OpenAI, Anthropic, Claude, GPT-5, etc.), model API keys, stored secrets that decrypt credentials, and full visibility into every prompt and response passing through the gateway. An attacker can rewrite model responses in real-time to steer agents (coding agents, reasoning agents) toward malicious tool execution.
Attack vector
Low-privilege user on LiteLLM proxy mints an API key with wildcard allowed_routes, promotes themselves to proxy_admin via self-update, then escalates to RCE via MCP command injection in test endpoints
Affected systems
LiteLLM versions 1.74.2 through versions before 1.83.14-stable
Mitigation
Update to LiteLLM 1.83.14-stable or later; revoke exposed API keys and proxy_admin credentials