LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. From version 1.74.2 to before version 1.83.7, two endpoints used to preview an MCP server before saving it — POST /mcp-rest/test/connection and POST /mcp-rest/test/tools/list — accepted a full server configuration in the request body, including the command, args, and env fields used by the stdio transport. When called with a stdio configuration, the endpoints attempted to connect, which spawned the supplied command as a subprocess on the proxy host with the privileges of the proxy process. The endpoints were gated only by a valid proxy API key, with no role check. Any authenticated user — including holders of low-privilege internal-user keys — could therefore run arbitrary commands on the host. This issue has been patched in version 1.83.7.
CVE-2026-42271
Score elevated to 9.0 because this CVE is listed on the CISA Known Exploited Vulnerabilities catalog (added 2026-06-08), indicating real-world exploitation has been confirmed by US federal agencies. NVD baseline CVSS 8.8 retained for reference. Confidence: HIGH.
- Actively exploited in the wild (CISA-KEV)
A fix is available — apply it.
- CVSS v3
- 8.8
- EG Score
- 9.0(high)
- EPSS
- 99.6%
- KEV
- ⚠ Exploited
Published
May 8, 2026
Last Modified
July 15, 2026
Advisory Details (2)
Auto-updated May 8, 2026Authenticated command execution via MCP stdio test endpoints · Advisory · BerriAI/litellm · GitHub
https://github.com/BerriAI/litellm/security/advisories/GHSA-v4p8-mg3p-g94gRelease v1.83.7-stable · BerriAI/litellm · GitHub
https://github.com/BerriAI/litellm/releases/tag/v1.83.7-stableVendor Advisories for CVE-2026-42271(4)
These vendors published their own advisory mentioning this CVE — often with vendor-specific remediation steps + affected product lists not in NVD.
- RHSA-2026:30056Red Hat Product SecurityHigh
Red Hat Security Advisory: RHOAI 3.3.4 - Red Hat OpenShift AI
- RHSA-2026:28960Red Hat Product SecurityHigh
Red Hat Security Advisory: RHOAI 2.25.8 - Red Hat OpenShift AI
- RHSA-2026:27784Red Hat Product SecurityHigh
Red Hat Security Advisory: RHOAI 3.4.1 - Red Hat OpenShift AI
- GHSA-v4p8-mg3p-g94gGitHub Security AdvisoriesHigh
LiteLLM: Authenticated command execution via MCP stdio test endpoints
Patch Availability(3)
| Vendor / Ecosystem | Fixed in / Patch | Released | Source |
|---|---|---|---|
| redhat | rhoai/odh-llama-stack-core-rhel9:1782310008 | 2026-06-25 | redhat |
| redhat | rhoai/odh-llama-stack-core-rhel9:1781826406 | 2026-06-24 | redhat |
| redhat | rhoai/odh-trustyai-garak-lls-provider-dsp-rhel9:1781622627 | 2026-06-22 | redhat |
Patches are aggregated from vendor advisories (Red Hat, Microsoft, Cisco, GitHub) and package ecosystems (OSV, GHSA). Multiple rows for the same upstream release have been deduplicated.
Affected Packages
(1 across 1 ecosystem)
PyPI(1)
| Package | Vulnerable range | Fixed in | Dependents |
|---|---|---|---|
| litellm | 1.74.12 ... 1.83.6 (107 versions) | 1.83.7 | — |
Weakness Classification(2)
MITRE Common Weakness Enumeration — the root-cause categories this CVE belongs to.
Data Freshness Timeline
(refreshed 92× in last 7d / 357× in last 30d)
Each row is a source pipeline that fetched or updated this CVE on that date, with what changed. For example, "NVD update" means NVD published or revised its analysis for this CVE; "MITRE cvelistV5" means we ingested or refreshed it from the CNA feed. Most recent first.
Showing the most recent 100 of 465 total refreshes for this CVE.
- 2026-07-16 13:30 UTCEG score recompute
- 2026-07-16 13:30 UTCVendor advisory
- 2026-07-16 09:32 UTCEG score recompute
- 2026-07-16 09:32 UTCVendor advisory
- 2026-07-16 05:34 UTCEG score recompute
- 2026-07-16 05:34 UTCVendor advisory
- 2026-07-16 01:36 UTCEG score recompute
- 2026-07-16 01:36 UTCVendor advisory
- 2026-07-15 21:38 UTCEG score recompute
- 2026-07-15 21:38 UTCVendor advisory
- 2026-07-15 17:41 UTCEG score recompute
- 2026-07-15 17:41 UTCVendor advisory
- 2026-07-15 16:57 UTCEPSS rescore
- 2026-07-15 16:49 UTCCISA KEV update
- 2026-07-15 15:04 UTCCISA KEV update
- 2026-07-15 13:43 UTCEG score recompute
- 2026-07-15 13:43 UTCVendor advisory
- 2026-07-15 09:46 UTCEG score recompute
- 2026-07-15 09:46 UTCVendor advisory
- 2026-07-15 05:48 UTCEG score recompute
- 2026-07-15 05:48 UTCVendor advisory
- 2026-07-15 01:50 UTCEG score recompute
- 2026-07-15 01:50 UTCVendor advisory
- 2026-07-14 21:52 UTCEG score recompute
- 2026-07-14 21:52 UTCVendor advisory
Show 75 moreShow fewer
- 2026-07-14 18:05 UTCCISA KEV update
- 2026-07-14 17:54 UTCEG score recompute
- 2026-07-14 17:54 UTCVendor advisory
- 2026-07-14 13:56 UTCEG score recompute
- 2026-07-14 13:56 UTCVendor advisory
- 2026-07-14 09:58 UTCEG score recompute
- 2026-07-14 09:58 UTCVendor advisory
- 2026-07-14 06:00 UTCEG score recompute
- 2026-07-14 06:00 UTCVendor advisory
- 2026-07-14 02:02 UTCEG score recompute
- 2026-07-14 02:02 UTCVendor advisory
- 2026-07-13 22:04 UTCEG score recompute
- 2026-07-13 22:04 UTCVendor advisory
- 2026-07-13 18:06 UTCEG score recompute
- 2026-07-13 18:06 UTCVendor advisory
- 2026-07-13 17:07 UTCCISA KEV update
- 2026-07-13 14:08 UTCEG score recompute
- 2026-07-13 14:08 UTCVendor advisory
- 2026-07-13 10:09 UTCEG score recompute
- 2026-07-13 10:09 UTCVendor advisory
- 2026-07-13 06:11 UTCEG score recompute
- 2026-07-13 06:11 UTCVendor advisory
- 2026-07-13 02:13 UTCEG score recompute
- 2026-07-13 02:13 UTCVendor advisory
- 2026-07-12 22:15 UTCEG score recompute
- 2026-07-12 22:15 UTCVendor advisory
- 2026-07-12 18:17 UTCEG score recompute
- 2026-07-12 18:17 UTCVendor advisory
- 2026-07-12 14:18 UTCEG score recompute
- 2026-07-12 14:18 UTCVendor advisory
- 2026-07-12 10:21 UTCEG score recompute
- 2026-07-12 10:21 UTCVendor advisory
- 2026-07-12 06:22 UTCEG score recompute
- 2026-07-12 06:22 UTCVendor advisory
- 2026-07-12 05:46 UTCEPSS rescore
- 2026-07-12 02:24 UTCEG score recompute
- 2026-07-12 02:24 UTCVendor advisory
- 2026-07-11 22:26 UTCEG score recompute
- 2026-07-11 22:26 UTCVendor advisory
- 2026-07-11 18:29 UTCEG score recompute
- 2026-07-11 18:29 UTCVendor advisory
- 2026-07-11 14:31 UTCEG score recompute
- 2026-07-11 14:31 UTCVendor advisory
- 2026-07-11 10:32 UTCEG score recompute
- 2026-07-11 10:32 UTCVendor advisory
- 2026-07-11 06:34 UTCEG score recompute
- 2026-07-11 06:34 UTCVendor advisory
- 2026-07-11 02:36 UTCEG score recompute
- 2026-07-11 02:36 UTCVendor advisory
- 2026-07-10 22:38 UTCEG score recompute
- 2026-07-10 22:38 UTCVendor advisory
- 2026-07-10 18:41 UTCEG score recompute
- 2026-07-10 18:41 UTCVendor advisory
- 2026-07-10 17:52 UTCCISA KEV update
- 2026-07-10 14:43 UTCEG score recompute
- 2026-07-10 14:43 UTCVendor advisory
- 2026-07-10 10:46 UTCEG score recompute
- 2026-07-10 10:46 UTCVendor advisory
- 2026-07-10 06:48 UTCEG score recompute
- 2026-07-10 06:48 UTCVendor advisory
- 2026-07-10 02:50 UTCEG score recompute
- 2026-07-09 22:51 UTCEG score recompute
- 2026-07-09 22:51 UTCVendor advisory
- 2026-07-09 18:54 UTCEG score recompute
- 2026-07-09 18:54 UTCVendor advisory
- 2026-07-09 14:56 UTCEG score recompute
- 2026-07-09 14:56 UTCVendor advisory
- 2026-07-09 10:58 UTCEG score recompute
- 2026-07-09 10:58 UTCVendor advisory
- 2026-07-09 07:01 UTCEG score recompute
- 2026-07-09 07:01 UTCVendor advisory
- 2026-07-09 03:03 UTCEG score recompute
- 2026-07-09 03:03 UTCVendor advisory
- 2026-07-08 23:06 UTCEG score recompute
- 2026-07-08 23:06 UTCVendor advisory
Publicly available exploits
(2 references)Working exploit code is in the public domain (1 GitHub PoC). Defenders should treat patch urgency accordingly — public PoCs typically lead to mass-exploitation within 24-72 hours.
- GitHub PoCamnsecurity/CVE-2026-42271-LiteLLM-RCEFirst seen Jul 7, 2026
CVE-2026-42271 - LiteLLM AI Gateway MCP Command Injection RCE - PoC & Analysis | CVSS 8.8 | AMN SECURITY
Open source ↗ - Nucleihttp/cves/2026/CVE-2026-42271.yamlFirst seen Jan 1, 2026
LiteLLM - Command Injection
Open source ↗
Related CVEs(same vendor + same CWE)
Same vendor
10 shownredhat
Same CWE
10 shownCWE-78 · CWE-77
- CVE-2009-20011EG 10.0CRITICAL
- CVE-2011-10017EG 10.0CRITICAL
- CVE-2011-10026EG 9.8CRITICAL
- CVE-2011-2195EG 9.8CRITICAL
- CVE-2011-2523EG 9.8EPSS 100%CRITICAL
- CVE-2010-5330EG 9.8 KEVEPSS 98%CRITICAL
- CVE-2009-5156EG 9.8EPSS 95%CRITICAL
- CVE-2007-3010EG 9.8 KEVEPSS 100%CRITICAL
- CVE-2005-2773EG 9.8 KEVEPSS 99%CRITICAL
- CVE-1999-0043EG 9.8EPSS 99%CRITICAL
Frequently asked(6)
What is CVE-2026-42271?
When was CVE-2026-42271 disclosed?
Is CVE-2026-42271 actively exploited?
What is the CVSS score of CVE-2026-42271?
Which products are affected by CVE-2026-42271?
How do I remediate CVE-2026-42271?
Dependency Blast Radius
See which npm, PyPI, Go, and Maven packages are affected by CVE-2026-42271
Is Your Infrastructure Affected by CVE-2026-42271?
EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.