GHSA-v4p8-mg3p-g94gHighCVSS 8.8

LiteLLM: Authenticated command execution via MCP stdio test endpoints

Published
April 25, 2026
Last Modified
June 9, 2026

🔗 CVE IDs covered (1)

📋 Description

Impact

Two endpoints used to preview an MCP server before saving it — POST /mcp-rest/test/connection and POST /mcp-rest/test/tools/list — accepted a full server configuration in the request body, including the command, args, and env fields used by the stdio transport. When called with a stdio configuration, the endpoints attempted to connect, which spawned the supplied command as a subprocess on the proxy host with the privileges of the proxy process.

The endpoints were gated only by a valid proxy API key, with no role check. Any authenticated user — including holders of low-privilege internal-user keys — could therefore run arbitrary commands on the host.

Patches

Fixed in 1.83.7. Both test endpoints now require the PROXY_ADMIN role, bringing them into line with the save endpoint.

Workarounds

If upgrading is not immediately possible, developers should block POST /mcp-rest/test/connection and POST /mcp-rest/test/tools/list at their reverse proxy or API gateway.

🎯 Affected products1

  • pip/litellm:>= 1.74.2, < 1.83.7

🔗 References (5)