Authenticated Command Injection in LiteLLM MCP Test Endpoints (CVE-2026-42271)
by Horizon3.ai (discovery/writeup); learner202649 (PoC) · 2026-07-01
- Severity
- High
- CVE
- CVE-2026-42271
- Category
- web
- Affected product
- BerriAI LiteLLM (proxy) — MCP preview/test endpoints
- Affected versions
- 1.74.2 through 1.83.6
- Disclosed
- 2026-07-01
- Patch status
- patched
Tags
References
Archive entry
intelseclab/poc-archiveMetadata
| Field | Value |
|---|---|
| Date Added | 2026-07-01 |
| Last Updated | 2026-06 |
| Author / Researcher | Horizon3.ai (discovery/writeup); learner202649 (PoC) |
| CVE / Advisory | CVE-2026-42271 |
| Category | web |
| Severity | High |
| CVSS Score | 8.7 (CVSSv3) |
| Status | PoC |
| Tags | command-injection, LiteLLM, MCP, AI-application, ai-gateway, authenticated, api-key, subprocess |
| Related | CVE-2026-48710 |
Affected Target
| Field | Value |
|---|---|
| Software / System | BerriAI LiteLLM (proxy) — MCP preview/test endpoints |
| Versions Affected | 1.74.2 through 1.83.6 |
| Language / Platform | Python |
| Authentication Required | Yes (any valid proxy API key, including low-privilege internal-user keys) |
| Network Access Required | Yes (HTTP to LiteLLM proxy) |
Summary
CVE-2026-42271 is a command injection vulnerability in BerriAI LiteLLM’s MCP preview/test endpoints — POST /mcp-rest/test/connection and POST /mcp-rest/test/tools/list. These endpoints accept a full MCP server configuration in the request body, including stdio-transport fields (command, args, env). When a request specifies a stdio configuration, LiteLLM spawns the supplied command as a subprocess on the proxy host to test the connection. The endpoints were protected only by possession of a valid proxy API key with no role check, so any authenticated user — including low-privilege internal-user key holders — could supply arbitrary commands for execution with the privileges of the LiteLLM proxy process. Horizon3.ai’s research also notes this can be chained with CVE-2026-48710 for unauthenticated exploitation in some configurations. Fixed in LiteLLM 1.83.7 by restricting these endpoints to the PROXY_ADMIN role.
Vulnerability Details
Root Cause
The MCP test-connection endpoints accept attacker-controlled command/args/env fields for a stdio-transport MCP server and pass them directly to a subprocess spawn, with only API-key possession (not role) enforced as authorization.
Attack Vector
- Obtain any valid LiteLLM proxy API key (including a low-privilege internal-user key).
- Send a
POST /mcp-rest/test/connectionrequest with an MCP stdio transport configuration whosecommand/argsexecute an attacker-chosen command. - LiteLLM spawns the subprocess on the proxy host, executing the attacker’s payload with the privileges of the proxy process.
Impact
Command execution on the LiteLLM proxy host by any authenticated API-key holder, regardless of intended role — including blind/interactive shell access and environment-variable/secret extraction.
Environment / Lab Setup
Target: LiteLLM proxy 1.74.2 - 1.83.6, docker-compose.yml pins vulnerable v1.82.6 for local repro
Attacker: Python 3 + requests, valid LiteLLM proxy API key
Proof of Concept
PoC Script
See
exploit.pyandpayload.pyin this folder.
| |
Sends a crafted POST request to /mcp-rest/test/connection with a malicious stdio MCP configuration to trigger subprocess execution on the target host. Includes interactive blind-shell and reverse-shell payload generation, plus environment-variable extraction.
Detection & Indicators of Compromise
Signs of compromise:
- Unexpected subprocess creation by the LiteLLM proxy process
- Outbound network connections or file access inconsistent with normal LiteLLM operation
- API-key usage patterns showing MCP test-endpoint calls from keys with no legitimate MCP configuration need
Remediation
| Action | Detail |
|---|---|
| Primary fix | Upgrade LiteLLM to 1.83.7 or later (restricts MCP test endpoints to PROXY_ADMIN role) |
| Interim mitigation | Restrict MCP test-endpoint access at a reverse proxy/WAF layer to admin-only source IPs/keys |
| Verify | BerriAI advisory GHSA-v4p8-mg3p-g94g |
References
- Horizon3.ai — CVE-2026-42271 chained with CVE-2026-48710
- BerriAI/litellm Security Advisory GHSA-v4p8-mg3p-g94g
- The Hacker News — LiteLLM flaw CVE-2026-42271 exploited
- Source repository (learner202649)
Notes
Auto-ingested from https://github.com/learner202649/CVE-2026-42271-PoC on 2026-07-01. Author’s other repos are narrowly scoped to the same LiteLLM CVE cluster (CVE-2026-47101, -47102, -40217, -35029/30), consistent with focused personal research rather than bulk CVE-farming.
| |