A serious security flaw in LiteLLM, tracked as CVE-2026-42271, is now being actively exploited by attackers. The vulnerability was recently added to the U.S. Cybersecurity and Infrastructure Security Agency (CISA) Known Exploited Vulnerabilities catalog after confirmed reports of real-world attacks. Security researchers warn that organizations using vulnerable LiteLLM deployments could face significant risks if the issue is not addressed quickly.

The vulnerability is a command injection flaw with a CVSS score of 8.7. It affects LiteLLM versions starting from 1.74.2 up to, but not including, version 1.83.7. Researchers found that two testing endpoints used for previewing MCP servers before saving them could accept user-supplied server configurations containing command execution parameters. As a result, attackers could abuse these endpoints to run commands directly on the host system.

According to the vulnerability details, the affected endpoints accepted values such as command names, arguments, and environment variables. When the system attempted to test the connection, it automatically launched the supplied command as a subprocess on the server. This behavior created a dangerous situation where authenticated users could execute arbitrary commands with the same privileges as the LiteLLM proxy process.

Initially, the flaw was considered an authenticated vulnerability because attackers needed a valid LiteLLM API key to reach the affected functionality. However, further investigation by security researchers revealed a much more serious attack path. Researchers discovered that the flaw could be combined with another vulnerability, CVE-2026-48710, which affects the Starlette web framework used by some LiteLLM deployments.

The Starlette vulnerability allows attackers to bypass host header validation checks. By chaining CVE-2026-48710 with CVE-2026-42271, researchers demonstrated that authentication requirements could be completely bypassed on vulnerable systems. This means attackers may no longer need valid credentials to exploit the flaw and execute commands remotely.

Successful exploitation can allow attackers to run arbitrary commands on the LiteLLM server, access sensitive API keys, steal credentials stored by the proxy, and potentially move deeper into connected AI infrastructure. Security experts warn that compromised AI gateways can provide access to multiple downstream systems because they often store credentials for various AI providers and services.

Researchers also noted that LiteLLM has already faced multiple security incidents in recent months. Another critical vulnerability, CVE-2026-42208, was reportedly exploited within just 36 hours of public disclosure. The rapid exploitation of previous LiteLLM flaws highlights how quickly threat actors are targeting AI infrastructure and related technologies.

Organizations using LiteLLM are strongly advised to upgrade to version 1.83.7 or later immediately. Security teams should also update Starlette to version 1.0.1 or newer where applicable, review logs for suspicious activity involving MCP testing endpoints, rotate sensitive credentials, and investigate any signs of unauthorized command execution. With active exploitation already confirmed, delaying remediation could leave systems exposed to compromise.

Stay alert, and keep your security measures updated!

Source: Follow cybersecurity88 on X and LinkedIn for the latest cybersecurity news