LiteLLM CVE-2026-42271 Exploited in the Wild — AI Gateway Flaw Chains to Unauthenticated RCE

AI infrastructure is becoming a serious attack surface. The latest example is LiteLLM CVE-2026-42271, a command injection vulnerability in BerriAI LiteLLM that CISA has added to its Known Exploited Vulnerabilities catalog after evidence of active exploitation.

LiteLLM is a popular open-source AI gateway and Python SDK used to route requests to different LLM providers through OpenAI-compatible interfaces. That makes it a sensitive piece of infrastructure. It often sits between applications, users, API keys, model providers, internal tools, and AI workflows.

The vulnerability is dangerous on its own because an authenticated user with a valid proxy API key could execute arbitrary commands on the LiteLLM host. But the risk becomes even more severe when chained with CVE-2026-48710, a Starlette Host header validation bypass. Horizon3.ai reported that this chain can bypass authentication entirely and turn the issue into unauthenticated remote code execution against vulnerable LiteLLM deployments. :contentReference[oaicite:0]{index=0}

What Is CVE-2026-42271?

CVE-2026-42271 is a command injection vulnerability affecting the LiteLLM Python package. According to NVD, LiteLLM versions from 1.74.2 before 1.83.7 are affected. The issue exists in two MCP server preview endpoints that accepted full server configuration data in the request body, including command execution fields used by the stdio transport. :contentReference[oaicite:1]{index=1}